
Journal tomhudson's Journal: Trapping Hackers 27
I was looking throught the server logs on my machine, and I notice that n00bs are trying to have some fun, so I figured, why not have some fun back?
Rather than just log their crap, why not let them know that they've been caught and also give them the ip addresses of other n00bs, so they can play elsewhere
So here is a link to a quick page I threw up this evening so you can download the files and have fun.
Once we've got it running on a bunch of servers, I'll post code to automatically email abuse@your_isp to complain.
Enjoy
worms (Score:1)
Nimbda Worm / Virus: What Are Cmd.Exe, Readme.Eml, Readme.Exe, Root.Exe ? [thesitewizard.com]
If you are running your site on an Apache server, you might still want to take some action to avoid having to pay a huge bill on bandwidth costs at the end of the month to foot the Nimbda worm attacks.
If you don't know what I mean, telnet to your web server, and run the following command on your logs:
grep "cmd\.exe" your-l
Re:worms (Score:2)
Imagine the poor schmuck working at the isp who checks his email and finds 5000 complaints from 500 different servers complaining about 20 different customers. Every day. Until they shut the offenders down.
To do this successfully, we'd need a decent number of hosts running.
Re:worms (Score:1)
My experience with the ISPs I corresponded with is they would do nothing as this did not violate acceptible use policy.
In fact, most of the IPs came from the same Comcast subnet that I was on -- customer support asked me if these were 'intrusions' affecting my computer. Honestly, it was more of a curiosity than a real nuisance, and not really affecting me, so I gave up.
Possibly if lots of
Re:worms (Score:1)
Found this interesting thread:
http://forums.macosxhints.com/showthread.php?t= 2 23 71
One poster had a simple, elegant solution:
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (
Re:worms (Score:2)
However, his solution doesn't work properly because of the way that different platforms handle slashes and backslashes. That's why I use [\|/] instead of \/, which only matches a forward slash.
Also, redirecting to microcrap isn't the real solution - they'll just ignore it. Sending email to the ISP is more likely to succeed, especially since these attacks are not necessarily all due to
Re:worms (Score:1)
good one, Jeff -- point out something he's already seen
You've obviously given this far more though than I have, your solution is very interesting. I have to admit though that I still doubt most ISPs would do dick about it.
Cheers.
Re:worms (Score:2)
... with their own database of current customer ips to email addresses, they could automatically email their customers and say "hey, clean up your machine and/or your act".
When I find some time, I'm going to suggestg it to tech support for our offices' ISP - once you get past the first level "techs", a LOT of them are linux guys.
Ever heard of... (Score:1)
My web server server checks the log every hour and sends new entries off to DShield by E-Mail. It will crash if the local network is down, so it will relaunch and try again(my router is directly connected to the server, so this is rare).
Every night I get a log of the blocked packets that were received by DS
Re:Ever heard of... (Score:2)
dumb question (Score:1)
My question is, why does my webserver (this is a personal site at the end of my DSL connection) keep getting requests for "http://slashdot.org/ok.txt" and "http://developers.slashdot.org/ok.txt" ?? Anyone have any clues?
Re:dumb question (Score:1)
Care to post an example? I'm curious to see how this came in. ok.txt is apparently an actual document served by slashdot.org, but I can't imagine what circumstance could lead to having a request for it show up in your server log.
Re:ok.txt in server logs (Score:2)
Here's the logs:
Re:ok.txt in server logs (Score:1)
Makes me curious enough to pull out my perl books and noodle around to see how this could happen.
Re:ok.txt in server logs (Score:2)
Re:ok.txt in server logs (Score:2)
Re:ok.txt in server logs (Score:2)
I doubt this is in error.
Re:ok.txt in server logs (Score:1)
Re:ok.txt in server logs (Score:2)
Re:ok.txt in server logs (Score:1)
Remote Addr: 66.35.250.150
REQUEST_URI: http://slashdot.org/ok.txt not found.
SERVER_SOFTWARE: Apache/1.3.26 (Unix) PHP/4.3.3RC4 AuthMySQL/2.20
ok.txt request from you:
Remote Addr: 24.37.84.x
REQUEST_URI:
SERVER_SOFTWARE: Apache/2.0
Cheers
Re:ok.txt in server logs (Score:2)
Correct me if I'm wrong.
Thanks.
Re:ok.txt in server logs (Score:1)
Would be nice for an official
Re:ok.txt in server logs (Score:1)
As well as making a "proxy" type request,
1088682424.376 1270 111.222.111.222 TCP_MISS/200 18020 GET http://slashdot.org/
comments.pl - DIRECT/66.35.250.150 text/html
(this is my request through the proxy for a specific comment)
Then clicking on "Reply":
1088682424.376 1270 111.222.111.222 TCP_MISS/200 18020 GET http://slashdot.org/
comments.pl?...&op=Reply&.. . -
Re:ok.txt in server logs (Score:2)
Seems to me that open proxies could filter for this sort of thing and stay open without being detected :-(
Re:ok.txt in server logs (Score:1)
Ok - my bad - I only just looked at the link you posted - very nice work there. I've been doing something similar in a custom 404 in PHP for a while now (which also caught your ok.txt request :)
Does the same as yours and (for me) sends the good requests to the right page. Heres the code: http://www.pgregg.com/projects/php/code/404.phps [pgregg.com]
Re:ok.txt in server logs (Score:2)
Do I have your permission to add:
to the list (with credit, of courseAlso, how would you like the credit to show up? email, author, link 2 your site, etc ...?
Re:ok.txt in server logs (Score:1)
Re:ok.txt in server logs (Score:2)