[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New IIS worm



* Johann Schwarzmeier (Johann.Schwarzmeier@gmx.de) [010921 14:25]:
> Hello, 
> 
> Hint: see wat iv'ed done:
> 
> /etc/apache/srm.conf:
> Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
> Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
> 
> The CGI:
> 
> echo "You come from : ${REMOTE_ADDR}"
> 
> sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR}
> sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR}
> 
> 
> keep in mind: sudo ! 
> /etc/sudoers
> .
> Cmnd_Alias FIREWALL=/sbin/ipchains
> .
> www-data ALL=NOPASSWD: WWW,FIREWALL

careful with that... someone who breaks your apache will have permission
to do, say:

sudo ipchains -P input ACCEPT
sudo ipchains -F input

> 
> it works fine. The cracker come only one time. :-)

On the whole, I'm sure it does, and the risk is acceptably slim. One way
to reduce the risk further would be to specify the specific arguments to
ipchains, or make a wrapper script something like this:

#!/bin/sh
# /usr/local/sbin/nimdablocker.sh: give me $1, and I block him.
ipchains -I wan-in -j DENY -l -s $1
ipchains -I wan-out -j DENY -l -s $1
#EOF


and allow that via sudo instead.

-- 
Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgpSl3Bknjjmm.pgp
Description: PGP signature


Reply to: