Re: New IIS worm
Hello,
Hint: see wat iv'ed done:
/etc/apache/srm.conf:
Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
The CGI:
echo "You come from : ${REMOTE_ADDR}"
sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR}
sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR}
keep in mind: sudo !
/etc/sudoers
.
Cmnd_Alias FIREWALL=/sbin/ipchains
.
www-data ALL=NOPASSWD: WWW,FIREWALL
it works fine. The cracker come only one time. :-)
On Thursday 20 September 2001 03:48, R Allen Blowers wrote:
> You could use the hosts.deny file for this also, no?
>
> Best Regards, Allen
>
> > -----Original Message-----
> > From: Emmanuel Valliet [mailto:emmanuel.valliet@webmotion.com]
> > Sent: Tuesday, September 18, 2001 8:09 PM
> > To: debian-security@lists.debian.org
> > Subject: Re: New IIS worm
> >
> > (2001-09-18) Emmanuel Valliet sed :
> > | I know we don't care on linux, but I have reallly a lot of hits from
> > | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie.
> > | And it starts to make a lot of apache childs, and the global charge
> > | grows consequently.
> > | Is there a way to protect from that ?
> > | Using an apache configuration trick ?
> > | Or blacklisting and using some firewall rules behind ?
> > | If anyone knows how to do, or has already done the script that kicks
> > | these infected servers, it could interest me...
> >
> > Hum, doing a script that parse the logs and catch the bad servers was
> > easy. But I didn't realize that the infection could be that big and
> > quick.
> >
> > Euh.... can ipchains or iptables support some more 1500 denying rules
> > ? I don't think so...
> >
> > Anyway, it doesn't matter, my apache servers seem to survive the
> > "flood", I'm just happy to have big CPU and lot of mem.
> >
> > Just the script, if you want to count the worm hit on your box:
> > (really not a piece of art)
> >
> > #!/usr/bin/perl
> >
> > my %bannlist;
> >
> > while (<>) {
> > next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/;
> > $host=$1;
> > next if $bannlist{"$host"};
> > $bannlist{"$host"}=1;
> > # system("/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www
> > -j DENY");
> > print "Worm victim: $host\n";
> > }
> >
> >
> > --
> > VALLIET Emmanuel ! http://www.webmotion.com
> > Webmotion Inc. ! mailto:emmanuel.valliet@webmotion.com
> > Oxymoron: Stuck in traffic.
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
Reply to: