Re: New IIS worm

To: debian-security@lists.debian.org
Subject: Re: New IIS worm
From: Johann Schwarzmeier <Johann.Schwarzmeier@gmx.de>
Date: Fri, 21 Sep 2001 22:37:58 +0200
Message-id: <[🔎] 01092122375800.04805@merlin01>
In-reply-to: <[🔎] 000e01c14176$64888720$6501a8c0@rab1>
References: <[🔎] 000e01c14176$64888720$6501a8c0@rab1>

Hello, 

Hint: see wat iv'ed done:

/etc/apache/srm.conf:
Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi

The CGI:

echo "You come from : ${REMOTE_ADDR}"

sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR}
sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR}


keep in mind: sudo ! 
/etc/sudoers
.
Cmnd_Alias FIREWALL=/sbin/ipchains
.
www-data ALL=NOPASSWD: WWW,FIREWALL

it works fine. The cracker come only one time. :-)



On Thursday 20 September 2001 03:48, R Allen Blowers wrote:
> You could use the hosts.deny file for this also, no?
>
> Best Regards, Allen
>
> > -----Original Message-----
> > From: Emmanuel Valliet [mailto:emmanuel.valliet@webmotion.com]
> > Sent: Tuesday, September 18, 2001 8:09 PM
> > To: debian-security@lists.debian.org
> > Subject: Re: New IIS worm
> >
> > (2001-09-18) Emmanuel Valliet sed :
> >  | I know we don't care on linux, but I have reallly a lot of hits from
> >  | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie.
> >  | And it starts to make a lot of apache childs, and the global charge
> >  | grows consequently.
> >  | Is there a way to protect from that ?
> >  | Using an apache configuration trick ?
> >  | Or blacklisting and using some firewall rules behind ?
> >  | If anyone knows how to do, or has already done the script that kicks
> >  | these infected servers, it could interest me...
> >
> > Hum, doing a script that parse the logs and catch the bad servers was
> > easy. But I didn't realize that the infection could be that big and
> > quick.
> >
> > Euh.... can ipchains or iptables support some more 1500 denying rules
> > ? I don't think so...
> >
> > Anyway, it doesn't matter, my apache servers seem to survive the
> > "flood", I'm just happy to have big CPU and lot of mem.
> >
> > Just the script, if you want to count the worm hit on your box:
> > (really not a piece of art)
> >
> > #!/usr/bin/perl
> >
> > my %bannlist;
> >
> > while (<>) {
> >   next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/;
> >   $host=$1;
> >   next if $bannlist{"$host"};
> >   $bannlist{"$host"}=1;
> > #  system("/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www
> > -j DENY");
> >   print "Worm victim: $host\n";
> > }
> >
> >
> > --
> > VALLIET Emmanuel       !   http://www.webmotion.com
> > Webmotion Inc.         !   mailto:emmanuel.valliet@webmotion.com
> > Oxymoron: Stuck in traffic.
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: New IIS worm
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>
- Re: New IIS worm
  - From: "Karl E. Jorgensen" <karl@jorgensen.com>

References:
- RE: New IIS worm
  - From: "R Allen Blowers" <ablowers@mindspring.com>

Prev by Date: Re: setuid changes
Next by Date: Re: setuid changes
Previous by thread: RE: New IIS worm
Next by thread: Re: New IIS worm
Index(es):
- Date
- Thread