David
ns_conn close does not work to slow down the worm. The ipchains idea is doing all the work. Here is some output, with the use of ns_conn close instead of ns_sleep 60.
[20/Sep/2001:09:05:45][16725.9226][-conn0-] Notice: 216.254.126.216 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[20/Sep/2001:09:05:45][16725.9226][-conn0-] Notice: Nimba BreakTrace holding: 0 total: 13 released ip: 216.254.126.216
[20/Sep/2001:09:05:45][16725.9226][-conn0-] Notice: 216.254.126.216 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[20/Sep/2001:09:05:45][16725.9226][-conn0-] Notice: Nimba BreakTrace holding: 0 total: 14 released ip: 216.254.126.216
[20/Sep/2001:09:05:46][16725.9226][-conn0-] Notice: 216.254.126.216 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[20/Sep/2001:09:05:46][16725.9226][-conn0-] Notice: Nimba BreakTrace holding: 0 total: 15 released ip: 216.254.126.216
[20/Sep/2001:09:05:46][16725.9226][-conn0-] Notice: 216.254.126.216 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Another thing I'd like to figure out is why some posts are nicely formatted when I use Plain Text and others are not. Is it just the q-and-a-post-reply-form is working correctly?
