Blocking the Welchia worm

To: debian-firewall@lists.debian.org
Subject: Blocking the Welchia worm
From: steve <sdoerr907@everestkc.net>
Date: Wed, 07 Apr 2004 21:53:47 -0500
Message-id: <[🔎] 0HVT00A7LZQWHJ@ksle966mailxc3.everestkc.net>
Reply-to: sdoerr907@everestkc.net

I've been getting a lot of logging like below in my Apache logs from the 
Welchia webdav exploit.  It's over 20MB since last Sunday and the activity 
has caused some denial of service.

d53-129-180.nap.wideopenwest.com - - [07/Apr/2004:19:04:43 -0500] "SEARCH 
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\...etc.

I tried the following rule to drop the pings, but the worm is still trying to 
infect my webserver (it's 34,000 characters long).  I didn't think the worm 
was supposed to send the overflow if the ping isn't responded to.

/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m length --length 
92 -j DROP

The rule is from:
http://support.imagestream.com/iptables_worm.html

I don't think the invalid state would drop it, because it's a new packet.

Does anyone know how to drop this traffic other than by ip (there are too 
many)?

Thanks for any tips.
Steve

Reply to:

Follow-Ups:
- Re: Blocking the Welchia worm
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: Blocking windows messages
Next by Date: Re: Blocking the Welchia worm
Previous by thread: Re: Blocking windows messages
Next by thread: Re: Blocking the Welchia worm
Index(es):
- Date
- Thread