[NCLUG] Code Red fun
J. Paul Reed
preed at sigkill.com
Wed Aug 8 08:25:26 MDT 2001
On Wed, 8 Aug 2001, Charles Clarke wrote:
> On Tue, 7 Aug 2001, J. Paul Reed wrote:
>
> > print $socket "GET /scripts/root.exe?/c+route+delete+0.0.0.0+>+fix_your_damn_r00ted_box";
>
> Well, it does get them off the web, but I was thinking of something
> more productive...
Getting the computer to stop flooding the network and infecting others? I
think that's pretty productive, myself...
> Doesn't this need a HTTP/1.0\n\n on the end of it?
Probably. :-)
Actually, I only had this up for a few hours... it worked on some boxes,
didn't on others... I stopped caring after awhile and took it down.
I think it probably had to do with the different variants of the worm, but
some boxes reported a "Server too busy" message, others fell off the net,
and still others didn't reply at all (I think these were Code Red I boxes,
which don't have the rootshell "feature").
Technically, it's probably illegal anyway... but I felt semi-justified
considering *they* contacted *me*, and *their* intent was to infect me with
a virus/worm.
I would probably be *more* justified if a response killed the box, instead
of me issuing another connection back to them.
Anyway, now I'm dealing with my router, which seems to be crashing all the
time (it's a Linux box, so don't tell me to upgrade CBOS). I've narrowed it
down to my tulip driver, which seems to be hogging interrupts due to the
arp packet storm on my cable modem network, and the device then hangs. I
can login at the console and ifdown/ifup and all is well... it's just
annoying.
And now, I'd like to take this special moment to thank the good folks at
Microsoft for making such quality software.
Later,
Paul
---------------------------------------------------------------------
J. Paul Reed preed at sigkill.com || web.sigkill.com/preed
It's amazing what a little brain damage will do for your credibility.
-- Leonard Shelby, Memento
More information about the NCLUG
mailing list