From owner-freebsd-security  Sun Sep 23  3: 3:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86])
	by hub.freebsd.org (Postfix) with ESMTP id 2204C37B419
	for <security@FreeBSD.ORG>; Sun, 23 Sep 2001 03:03:41 -0700 (PDT)
Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2])
	by portal.eltex.ru (8.11.3/8.11.3) with SMTP id f8NA3kG89344;
	Sun, 23 Sep 2001 14:03:46 +0400 (MSD)
	(envelope-from ark@eltex.ru)
Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Sun, 23 Sep 2001 13:58:02 +0400
Received: from undisclosed-intranet-sender id smtpdy27341; Sun Sep 23 13:57:56 2001
From: ark@eltex.ru
Message-Id: <200109230958.NAA29845@paranoid.eltex.ru>
Subject: Re: New worm protection
To: danderse@cs.utah.edu (David G Andersen)
Date: Sun, 23 Sep 2001 13:58:05 +0400 (MSD)
Cc: chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG
Reply-To: ark@eltex.ru
In-Reply-To: <200109230836.f8N8akx29012@faith.cs.utah.edu> from "David G Andersen" at Sep 23, 2001 02:36:46 AM
X-Mailer: ELM [version 2.5 PL3]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

nuqneH,

Is there a way to send a command to worm to shut it (or just a machine) down?
I remember Code Red installed some kind of backdoor that allowed remote control
without trying the whole bunch of exploits, does NIMDA have such a 'feature'?

YOU (David G Andersen) WROTE:
>  
>  NIMDA doesn't hang out for very long waiting for a response
>  to the script headers, so a labrea-tarpit like approach won't
>  actually be particularly effective.  The sleep(5) will slow
>  it down a little bit, and the exit(0) will make it
>  return with no data sent back, not even a 404.  Which
>  will help a bit on the outbound bandwidth, but, of course
>  won't help on the inbound.  Others have posted scripts to
>  NANOG (see http://www.nanog.org/ and check the archive)
>  that will automatically trigger ipfw / ipchains additions,
>  but, as always, be particularly careful with those.

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message