Comment Shutdown attackers web server (Score 1) 245
Okay, please don't flame this suggestion (in case I haven't thought it through).
Nimda is basically pissing me off because of the generated network traffic. A possible solution is to shut down (and clean) the infected IIS servers. From my understanding the worm has a number of phases but they basically allow programs to be run on the infected machine (to set up samba mounts etc). So how about this:
- Map all virus http requests (or appropriate ones) to a script. No rocket science here.
- When receiving a request make a connection to the sender asking it to "run a command" on the infected machine. Choose a command to either shutdown the web server or reboot the machine or something that isn't too nasty but puts it out of action.
I'm not that familar with Windows so don't know how easy/feasible this is. It's a challenge and if I wasn't going on holidays in two days with shit load of things to do I'd make it my new short-term pet project.
Wil
--
http://bd4.amristar.com.au/
