Re: Blocking the Welchia worm
On Wednesday 07 April 2004 10:59 pm, Mike Mestnik wrote:
> There are too many, would you like a list? The rule you have dropes
> pings. This won't stop ppl from trying to infect whole networks with
> the virus, only stop some strains from trying.
>
> There is the string match in patch-o-matic fron netfilter.org.
Thank you for the information.
This reference might be useful for anyone else trying to do this.
http://www.linuxsecurity.com/feature_stories/feature_story-148.html
I tried to stop the ping because everyone is reporting that the welchia worm
pings to see if there is a machine there before sending the malicious packet
to port 80.
The rule allows normal pings - welchia apparently is unique with it's size of
92.
Thanks again,
Steve
>
> --- steve <sdoerr907@everestkc.net> wrote:
> > I've been getting a lot of logging like below in my Apache logs from the
> >
> > Welchia webdav exploit. It's over 20MB since last Sunday and the
> > activity
> > has caused some denial of service.
> >
> > d53-129-180.nap.wideopenwest.com - - [07/Apr/2004:19:04:43 -0500]
> > "SEARCH
>
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\...et
>c.
>
> > I tried the following rule to drop the pings, but the worm is still
> > trying to
> > infect my webserver (it's 34,000 characters long). I didn't think the
> > worm
> > was supposed to send the overflow if the ping isn't responded to.
> >
> > /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m length
> > --length
> > 92 -j DROP
> >
> > The rule is from:
> > http://support.imagestream.com/iptables_worm.html
> >
> > I don't think the invalid state would drop it, because it's a new
> > packet.
> >
> > Does anyone know how to drop this traffic other than by ip (there are
> > too
> > many)?
> >
> > Thanks for any tips.
> > Steve
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business $15K Web Design Giveaway
> http://promotions.yahoo.com/design_giveaway/
Reply to: