[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: whats this?
On Sun, Aug 05, 2001, Reuven M. Lerner wrote about "Re: whats this?":
> If you're running Apache and mod_perl, you may want to try a Perl
> module that I just sent to the mod_perl e-mail list:
>
> http://groups.yahoo.com/group/modperl/message/37145
>
> The module automatically sends helpful e-mail to postmaster@,
> webmaster@, and administrator@ any attacking domain.
And how exactly will that help if the "attacking" domain (itself a victim of
the worm) is a Windows machine, 90% of them probably home users with Windows
and illegal copies of IIS?
Do Windows machines have postmaster@, webmaster@, etc, accounts? Moreover,
do these worm-infested Windows machines have a mail server running?
By the way, I hope in your helpful mail you also remind the victim to
remove the root.exe *and* the trojan explorer.exe: either one of these
gives a backdoor.
Because of this non-secrect backdoor, I predict pretty soon we're going to see
one or more of the following tidal waves going through the Internet:
1. By October 1, when the worm stops spreading (or probably even sooner than
that) I predict we're going to see about 100,000 machines in the internet
with backdoors, and dozens of crackers (not just the original worm
writer) will use them to mount the biggest DDoS attack ever seen
(similarly to what the original Code Red worm writer intended against
whitehouse.gov, only he messed up and that attack never took place).
2. One of the crazies out there uses the backdoor to log onto those 100,000
machines, and do "format c:" on each and every one of them. This will
solve the backdoor problem once and for all, but will go into history as
the biggest mass computer destruction.
3. We're going to see the first-ever white-hat worm emerge: a worm that will
use the CR-II backdoor to enter, spread, and then remove the backdoor and
the original IIS bug. Mind you, this is just as illegal as the "format c:"
idea...
4. We might see gangs of crackers fighting over controls of these backdoored
machines, seeing which group can unbackdoor (and then install new
backdoors, of course) on more machines. Pretty soon we're going to see
more scans on port 80 searching for backdoors than scans on port 80
caused by the worm itself.
The possibilities for mayhem are endless!
--
Nadav Har'El | Sunday, Aug 5 2001, 17 Av 5761
nyh@math.technion.ac.il |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |Always remember you're unique, just like
http://nadav.harel.org.il |everyone else.
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il