On Fri, Jul 20, 2001 at 09:33:21PM -0400, Noah L. Meyerhans wrote:
> On Fri, Jul 20, 2001 at 06:24:54PM -0700, Alvin Oga wrote:
> > if ya wrote a script... was thinking..wouldnt it be funny
> > to redirect that incoming attack with the cgi script to
> > redirect it back to the incoming machine ???
>
> It wouldn't get you anything exciting. The source machine has already
> been cracked, and chances are it will get hit again by the worm anyway.
> From what I've read about the "random" IP address generator used by the
> worm, the same sets of hosts get hit again and again.
The intense increase in probes can be attributed to a new worm variant,
which supposedly has the correct random seed generation code. I think you
can safely assume that the probes we're seeing now are coming from the
new worm variant. I guess one could devise a script which cleans the
probing host from the worm and creates the file c:\noworm (or something
similar), but it's probably too late anyway.
-- Yotam Rubin
>
> noah
>
> --
> _______________________________________________________
> | Web: http://web.morgul.net/~frodo/
> | PGP Public Key: http://web.morgul.net/~frodo/mail.html
