Re: Blocking the Welchia worm
There are too many, would you like a list? The rule you have dropes
pings. This won't stop ppl from trying to infect whole networks with
the virus, only stop some strains from trying.
There is the string match in patch-o-matic fron netfilter.org.
--- steve <sdoerr907@everestkc.net> wrote:
> I've been getting a lot of logging like below in my Apache logs from the
>
> Welchia webdav exploit. It's over 20MB since last Sunday and the
> activity
> has caused some denial of service.
>
> d53-129-180.nap.wideopenwest.com - - [07/Apr/2004:19:04:43 -0500]
> "SEARCH
>
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\...etc.
>
> I tried the following rule to drop the pings, but the worm is still
> trying to
> infect my webserver (it's 34,000 characters long). I didn't think the
> worm
> was supposed to send the overflow if the ping isn't responded to.
>
> /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m length
> --length
> 92 -j DROP
>
> The rule is from:
> http://support.imagestream.com/iptables_worm.html
>
> I don't think the invalid state would drop it, because it's a new
> packet.
>
> Does anyone know how to drop this traffic other than by ip (there are
> too
> many)?
>
> Thanks for any tips.
> Steve
>
__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway
http://promotions.yahoo.com/design_giveaway/
Reply to: