[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New IIS worm

(2001-09-18) Emmanuel Valliet sed :

 | I know we don't care on linux, but I have reallly a lot of hits from
 | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie.
 | And it starts to make a lot of apache childs, and the global charge
 | grows consequently.
 | Is there a way to protect from that ?
 | Using an apache configuration trick ?
 | Or blacklisting and using some firewall rules behind ?
 | If anyone knows how to do, or has already done the script that kicks
 | these infected servers, it could interest me...

Hum, doing a script that parse the logs and catch the bad servers was
easy. But I didn't realize that the infection could be that big and

Euh.... can ipchains or iptables support some more 1500 denying rules
? I don't think so...

Anyway, it doesn't matter, my apache servers seem to survive the
"flood", I'm just happy to have big CPU and lot of mem.

Just the script, if you want to count the worm hit on your box:
(really not a piece of art)


my %bannlist;

while (<>) {
  next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/;
  next if $bannlist{"$host"};
#  system("/sbin/ipchains -A input -p tcp -s $host -d www
-j DENY");
  print "Worm victim: $host\n";

VALLIET Emmanuel       !   http://www.webmotion.com
Webmotion Inc.         !   mailto:emmanuel.valliet@webmotion.com
Oxymoron: Stuck in traffic.

Reply to: