RE: New IIS worm
You could use the hosts.deny file for this also, no?
Best Regards, Allen
> -----Original Message-----
> From: Emmanuel Valliet [mailto:emmanuel.valliet@webmotion.com]
> Sent: Tuesday, September 18, 2001 8:09 PM
> To: debian-security@lists.debian.org
> Subject: Re: New IIS worm
>
>
> (2001-09-18) Emmanuel Valliet sed :
>
> |
> | I know we don't care on linux, but I have reallly a lot of hits from
> | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie.
> | And it starts to make a lot of apache childs, and the global charge
> | grows consequently.
> | Is there a way to protect from that ?
> | Using an apache configuration trick ?
> | Or blacklisting and using some firewall rules behind ?
> | If anyone knows how to do, or has already done the script that kicks
> | these infected servers, it could interest me...
>
> Hum, doing a script that parse the logs and catch the bad servers was
> easy. But I didn't realize that the infection could be that big and
> quick.
>
> Euh.... can ipchains or iptables support some more 1500 denying rules
> ? I don't think so...
>
> Anyway, it doesn't matter, my apache servers seem to survive the
> "flood", I'm just happy to have big CPU and lot of mem.
>
> Just the script, if you want to count the worm hit on your box:
> (really not a piece of art)
>
> #!/usr/bin/perl
>
> my %bannlist;
>
> while (<>) {
> next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/;
> $host=$1;
> next if $bannlist{"$host"};
> $bannlist{"$host"}=1;
> # system("/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www
> -j DENY");
> print "Worm victim: $host\n";
> }
>
>
> --
> VALLIET Emmanuel ! http://www.webmotion.com
> Webmotion Inc. ! mailto:emmanuel.valliet@webmotion.com
> Oxymoron: Stuck in traffic.
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
Reply to: