Does anyone know if this worm propagates itself and then launches itself from unassuming hosts? That is, does it install itself on a host and that host is an unwitting perpetrator? Or can I assume that the IP address sending the highlight probe is a willing participant?
The reason I am asking is that I am generating a kill list of IP addresses that have been poking me with this virus. So far, my total list (since Dec 20 when I was hit) is almost 3000 unique IP addresses! I want to block them permanently. While observing this in the last 18 hours, I have gotten more than 30 new unique IP addresses hitting me with this highlight probe.
I've already written a mod that automattically adds the $user_ip to my phpbb_banlist table... so when they hit, I say, thank you for your IP address, here's the door. I am also logging IP addresses to a file so they can be input to a firewall IP address blocker.
Draconian, yes. Necessary?