[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New IIS worm



Doesn't this leave you open to DOS attacks? I'm thinking that source IP
addresses are relatively easy to forge, and hence an attacher can forge
a nimda attach and cause you to block off legitimate IP addresses -
ie. your DNS server our default gateway...

On Fri, Sep 21, 2001 at 10:37:58PM +0200, Johann Schwarzmeier wrote:
> Hello, 
> 
> Hint: see wat iv'ed done:
> 
> /etc/apache/srm.conf:
> Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
> Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
> 
> The CGI:
> 
> echo "You come from : ${REMOTE_ADDR}"
> 
> sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR}
> sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR}
> 
> 
> keep in mind: sudo ! 
> /etc/sudoers
> .
> Cmnd_Alias FIREWALL=/sbin/ipchains
> .
> www-data ALL=NOPASSWD: WWW,FIREWALL
> 
> it works fine. The cracker come only one time. :-)
> 
> 
> 
> On Thursday 20 September 2001 03:48, R Allen Blowers wrote:
> > You could use the hosts.deny file for this also, no?
> >
> > Best Regards, Allen
> >
> > > -----Original Message-----
> > > From: Emmanuel Valliet [mailto:emmanuel.valliet@webmotion.com]
> > > Sent: Tuesday, September 18, 2001 8:09 PM
> > > To: debian-security@lists.debian.org
> > > Subject: Re: New IIS worm
> > >
> > > (2001-09-18) Emmanuel Valliet sed :
> > >  | I know we don't care on linux, but I have reallly a lot of hits from
> > >  | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie.
> > >  | And it starts to make a lot of apache childs, and the global charge
> > >  | grows consequently.
> > >  | Is there a way to protect from that ?
> > >  | Using an apache configuration trick ?
> > >  | Or blacklisting and using some firewall rules behind ?
> > >  | If anyone knows how to do, or has already done the script that kicks
> > >  | these infected servers, it could interest me...
> > >
> > > Hum, doing a script that parse the logs and catch the bad servers was
> > > easy. But I didn't realize that the infection could be that big and
> > > quick.
> > >
> > > Euh.... can ipchains or iptables support some more 1500 denying rules
> > > ? I don't think so...
> > >
> > > Anyway, it doesn't matter, my apache servers seem to survive the
> > > "flood", I'm just happy to have big CPU and lot of mem.
> > >
> > > Just the script, if you want to count the worm hit on your box:
> > > (really not a piece of art)
> > >
> > > #!/usr/bin/perl
> > >
> > > my %bannlist;
> > >
> > > while (<>) {
> > >   next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/;
> > >   $host=$1;
> > >   next if $bannlist{"$host"};
> > >   $bannlist{"$host"}=1;
> > > #  system("/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www
> > > -j DENY");
> > >   print "Worm victim: $host\n";
> > > }
> > >
> > >
> > > --
> > > VALLIET Emmanuel       !   http://www.webmotion.com
> > > Webmotion Inc.         !   mailto:emmanuel.valliet@webmotion.com
> > > Oxymoron: Stuck in traffic.
> > >
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> > > listmaster@lists.debian.org
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

-- 
Karl E. Jørgensen
karl@jorgensen.com
www.karl.jorgensen.com
==== Today's fortune:
The rate at which a disease spreads through a corn field is a precise
measurement of the speed of blight.

Attachment: pgpOnDJmgmn5N.pgp
Description: PGP signature


Reply to: