So my site is becoming more and more popular. I usually get an exponential increase of traffic in the winter months. I went over my bandwidth limit for the first time last month and will probably soon upgrade to a platinum package. I don't think I will be able to hold out and stay with futurequest all the way through the winter months as I expect at least 25-30gig of traffic, and an additional 10+gig of traffic once I finally put up my new section (which I am holding out on doing until I go to high with my normal traffic). It looks like I am going to have to leave futurequest this Winter. This both saddens me (as this has been the best host I have ever seen) and makes me happy (as my website has quickly become one of the 2-3 top ranked resources for internet dialup support in the past two years). However even though I will be moving to a dedicated server in a few months I would like to hold out as long as I can with the best host known to mankind and make sure I don't go too far over my bandwidth allowance. So with that out of the way, here is my big question:

Is there anyway to turn away Code Red / Nimda attacks/probes? I have already expended 27+megabytes of traffic just to this Nimda virus and it's pretty annoying. That's just in the last day. Knowing this I'll prolly be looking at another 50ish MB of traffic from today. Say the traffic ends up averaging only 25mb/day for the rest of this month. That's an extra 325mb of traffic wasted. If I remember right that turns out to be $3.25 in overbandwidth charges if I go over again this month. Now mind you, I understand that isn't month, and I'm not a pennypincher or anything, but I am young, in debt, still haven't made a single dime off of advertising (man internet advertising pays poorly. My agency has made a ton of money off of my site and I've finally paid off their "setup fee"....), and it's just plain annoying. I was commended today at my workplace for stopping Nimda in it's tracks on an office LAN of over 200 computers (which was also pretty annoying since they kept infecting eachother), and really have a hate for this particular virus because it took up most of my day.

Of course now that I write this and come to the realization that it's only $3.25, I don't want to post it. Then again, say the virus continues on a rise for a bit. I could be looking at $13+ ontop of normal overbandwidth charges. Still makes me feel petty posting this, but I am seriously annoyed, which is pretty easy to do after the events over the past week. Any ideas? Should I create the file cmd.exe, etc along the specified path and make them 1 byte in size? Do you think that may work?

-Brad
Annoyed Pennypinchingfeeling Webmaster, ModemHelp.Net

It is the same as Code Red, it is an annoyance as it does not affect our servers...

If I block it at the Apache level - still doesn't matter because I'm going to issue a '404' response which is still going to consume bandwidth from your account...

In short, there is no effective way to block it before it makes it to the Apache server due to having to sniff each and every packet entering our network... Now I heard that the FBI is willing to send me a Carnivore box to do just that, but so far I'm not to keen on the Violation of an account holders Privacy...

1) Firstly, this will send network performance pummeling as the overhead would be felt - and if our network is not operating with sub millisecond response times - then you might as well extinguish the patient to cure the disease...

2) Secondly, FutureQuest, Inc. is not responsible for launching these attacks - yet you are asking us to shoulder the full bandwidth costs of dealing with it... I don't see this as fair to FutureQuest at all, as overall we have a limited partnership with one another... We still get knocked for the bandwidth usage, because it must touch our network border just to even peek inside of the packet... The true costs are being shared by both the site owner and FutureQuest... (See #1 below)

Though we may have huge hearts, we are not silly in how we operate our business... You have the ability to block this at your website via .htaccess files, however you are still getting pegged for '404' or any responses bandwidth...

Now, what you state is reasonable:
1) Creating a 1 byte cmd.exe file - this would at least reduce the '404' response bandwidth size... Please note that the '1 byte' bandwidth that shows in your logs, is really about 256 bytes due to the HTTP protocol overhead...
e.g.:
$GET -des http://www.FutureQuest.net | wc -c
**this is very minimal at best, most response headers are much more chatty... This is the bandwidth costs that FutureQuest absorbs, that site owners never see... Please keep that side of the equation in mind...

2) You could be evil and setup a Redirect and bounce them to say:
http://www.microsoft.com/fix/your/security/holes
(no trailing slash is intentional)

since they are looking for MicroSoft brand exploits anyhow... However, I do not officially endorse this countermeasure... It is merely for educational or entertainment purposes/value... :QTtongue:

In conclusion, it is a Worm that is a nuisance, yet won't compromise our servers other than increased activity... You can either spend a $10,000 dollars on cold/flu (feel good) medicine that won't cure the problem - or let time heal the ailment sparing the enormous cost/expense...

--
Terra
--Helping us to help you to help each other--
FutureQuest

Terra - danke. I know alot about internet troubleshooting, but not much about webhosting. Please don't think that I wanted futurequest to shoulder the bandwidth costs. I have a custom 404 page which is probably why so much bandwidth is being sucked by the searching of exploits.

I know you don't advocate it, but how would you setup a .exe file exactly to redirect someone to:

http://www.ecnet.net/users/gas52r0/Jay/

;)
BWAHAHAHAHHAHAAHAHAHAHAHAHA

:o

Creating a 1 byte cmd.exe file If you want to decrease bandwidth; don't do that. If the worm doesn't receive a 404, it will make several more requests...

I think Nimbda is actually worse than Code Red.. instead of one hit per attack it makes about 16, and I seem to have been hit more often than I was with Code Red, and all from 'nearby' IPs.

Okay, maybe I'm beating a dead horse here, and if you guys are tired of my silly questions, just tell me to shut up and go away. (Ahem, but since FQ servers are running unix, I can't do any real damage so you *could* just ignore me! ;))

It bothers me greatly that I'm still getting hits from the nimda virus, particularly from one machine, who's ISP has been contacted, I've emailed all the "contacts" listed in the whois entry (all bounced), emailed the registrar about the bad contact information, and sent complaints to the company that supposedly owns the network. Is there anything else that I should/could do that I haven't already?

In all fairness, the bandwidth isn't really the main issue, I'm not even close to using my allotment, its just the principle of the whole thing.

I'm an ex-mainframe systems guy (eeeewwwww!), so I don't really have a clue when it comes to network issues, but surely there's *something* that can be done. I don't want to do anything illegal or destructive (well...okay, I WANT to, but wouldn't really). I just want something that will bring the infested/infected machine to the attention of whoever ought to be monitoring it.

Could I set up an automatic redirect back to the infected IP? Would that be more of a drain on my bandwidth than the 404's are now? If that's feasible, could I automatically redirect any search for cmd.exe/root.exe back to its originator?

I'm an ex-mainframe systems guy (eeeewwwww!)
So, what's the eeeewwwww! supposed to mean? :eeww:
As a current "mainframe systems guy", I think I'm offended.

Lepton
-The old dinosaur ain't dead yet. mE

Sorry about the "eeeeeewwwww", I was just saying it before (I was sure) someone else would have :D

Your bottom line about the "old dinosaur" reminds me of a poster I had in my office. It depicted a mainframe (as a Tyrannosaurus) chasing a bunch of little PCs and the caption was "Mainframes are back, and they're mad as h*ll" ;)

Okay, so now I've got a cgi script that kicks in whenever there's a 404 error and sends me an email with the page(file) that was not found and the originator's IP address, I've got to refine it so it only kicks in for cmd.exe or root.exe. Next step will be to have it translate the IP of the offender and send an email to admin@?????.com letting them know I'd appreciate it if they'd clean up their act.

I've gotten 42 of them since I implemented the script at 10:00 last night. I was originally going to try to limit it to one email per offender, but the more I think about it, the more I like the idea of an email everytime it goes after cmd.exe or root.exe

----------------------

Never meddle in the affairs of dragons, for you are crunchy and good with ketchup.

FWIW, here's where I am with this.

I've got the script to the point where it can determine if the request was for cmd.exe or root.exe (but I haven't figured out how to "exit" the script based on that yet, but its coming soon)

The script not only emails me the info each time, but also creates a log of the date/time, ip address and file name accessed.

At this point I'm manually looking up the contact for the IP and sending them an email along with the logs, advising them that the machine is infected.

I've emailed 4 "contacts" so far. One stopped hitting my site within 2 days, one sent an automated response saying they're getting so many complaints about sircam, nimda and code red, that they can't reply individually, but they're working on it. They've also not hit my site since I sent the email.

The other two emails went out this morning and I don't know the status, but am much encouraged by the response from the first two. I figure I'll take the 1 or 2 worst offenders each day and send them an "advisory"

Maybe an "automated" email is a bit too ambitious for me at this point, and it does take a few minutes to look up the contact and paste in the log, but at least I'm doing *something* about it.

If anyone is interested in this beyond what I've posted here, I'll be glad to keep you apprised by email. Just let me know if you're interested. I'm at syswsb@ppsweb.net