Blocking the Welchia worm
I've been getting a lot of logging like below in my Apache logs from the
Welchia webdav exploit. It's over 20MB since last Sunday and the activity
has caused some denial of service.
d53-129-180.nap.wideopenwest.com - - [07/Apr/2004:19:04:43 -0500] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\...etc.
I tried the following rule to drop the pings, but the worm is still trying to
infect my webserver (it's 34,000 characters long). I didn't think the worm
was supposed to send the overflow if the ping isn't responded to.
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m length --length
92 -j DROP
The rule is from:
http://support.imagestream.com/iptables_worm.html
I don't think the invalid state would drop it, because it's a new packet.
Does anyone know how to drop this traffic other than by ip (there are too
many)?
Thanks for any tips.
Steve
Reply to: