From owner-freebsd-questions Mon Aug 20 12:44:52 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rush.telenordia.se (mail.telenordia.se [194.213.64.42]) by hub.freebsd.org (Postfix) with SMTP id 0511237B40E for ; Mon, 20 Aug 2001 12:44:48 -0700 (PDT) (envelope-from mark.rowlands@minmail.net) Received: (qmail 3046 invoked from network); 20 Aug 2001 21:44:46 +0200 Received: from bb-62-5-36-29.bb.tninet.se (HELO pcmarpxy.tninet.se) (62.5.36.29) by mail.telenordia.se with SMTP; 20 Aug 2001 21:44:46 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Mark Rowlands To: freebsd-questions@FreeBSD.ORG Subject: Re: Code Red Date: Mon, 20 Aug 2001 21:44:55 +0200 X-Mailer: KMail [version 1.2] References: <20010820113337.A34996@acadia.ne.mediaone.net> <20010820163305.60779.qmail@web11706.mail.yahoo.com> <20010820151425.A35762@acadia.ne.mediaone.net> In-Reply-To: <20010820151425.A35762@acadia.ne.mediaone.net> MIME-Version: 1.0 Message-Id: <01082021445504.04869@pcmarpxy.tninet.se> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Monday 20 August 2001 21:14, you wrote: > On 08/20/01 09:33 AM, Tim Erlin sat at the `puter and typed: > > Doesn't Code Red leave a backdoor open on the servers > > it's infected? Anyone explored ways to respond to the > > http requests that shutdown IIS on the offending > > server? What would the legal implications of doing so > > be -- self-defense? > > > > --Tim > > Is there really a way to shut down these servers? yes > If so, I think I > could find a way to hack my 404.php script to send that message > automatically. I'd have already set up an autorespond, but most of > those machines are not running their own mailservice, so I just try to > minimize the impact on my system. > > As far as legal implications, I think self defense is damn suitable as > a reason for sending such a command. It is actually unlikely that the > administrator of many of the systems still sending out these requests > even know they are running anyway. it is illegal, and never that, how would you feel if you had missed something on one of your servers and some kind soul came along and hacked it ....would you sleep well at night knowing someone else, who may or may not be well intentioned, has been in your server. I know I'd be hitting the restore button and contacting my local law enforcement agency. snip > So, I think I wouldn't hesitate to set up such an autoresponse to > these messages. I doubt 90% of the people on the other end would have > a problem with it or even know about it. And as for those that do, I > have every right to set policy on my system for handling malicious > traffic of any kind. Why don't I just look up the IP and let them > know? Because this will take less of MY TIME away from me. I am not > here to administer their system and protect them from themselves or > anyone else. snip... There are pleny of quite trivial scripting options for this, or you can just grep your logs and mail em to www.dhield.org or www.aris.com who are organising mass buggings of ISPs. as to the rant, well it bugs the hell out off me too but you can't let it reduce your own standards of behaviour. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message