Doesn't this leave you open to DOS attacks? I'm thinking that source IP addresses are relatively easy to forge, and hence an attacher can forge a nimda attach and cause you to block off legitimate IP addresses - ie. your DNS server our default gateway... On Fri, Sep 21, 2001 at 10:37:58PM +0200, Johann Schwarzmeier wrote: > Hello, > > Hint: see wat iv'ed done: > > /etc/apache/srm.conf: > Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi > Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi > > The CGI: > > echo "You come from : ${REMOTE_ADDR}" > > sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR} > sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR} > > > keep in mind: sudo ! > /etc/sudoers > . > Cmnd_Alias FIREWALL=/sbin/ipchains > . > www-data ALL=NOPASSWD: WWW,FIREWALL > > it works fine. The cracker come only one time. :-) > > > > On Thursday 20 September 2001 03:48, R Allen Blowers wrote: > > You could use the hosts.deny file for this also, no? > > > > Best Regards, Allen > > > > > -----Original Message----- > > > From: Emmanuel Valliet [mailto:emmanuel.valliet@webmotion.com] > > > Sent: Tuesday, September 18, 2001 8:09 PM > > > To: debian-security@lists.debian.org > > > Subject: Re: New IIS worm > > > > > > (2001-09-18) Emmanuel Valliet sed : > > > | I know we don't care on linux, but I have reallly a lot of hits from > > > | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. > > > | And it starts to make a lot of apache childs, and the global charge > > > | grows consequently. > > > | Is there a way to protect from that ? > > > | Using an apache configuration trick ? > > > | Or blacklisting and using some firewall rules behind ? > > > | If anyone knows how to do, or has already done the script that kicks > > > | these infected servers, it could interest me... > > > > > > Hum, doing a script that parse the logs and catch the bad servers was > > > easy. But I didn't realize that the infection could be that big and > > > quick. > > > > > > Euh.... can ipchains or iptables support some more 1500 denying rules > > > ? I don't think so... > > > > > > Anyway, it doesn't matter, my apache servers seem to survive the > > > "flood", I'm just happy to have big CPU and lot of mem. > > > > > > Just the script, if you want to count the worm hit on your box: > > > (really not a piece of art) > > > > > > #!/usr/bin/perl > > > > > > my %bannlist; > > > > > > while (<>) { > > > next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/; > > > $host=$1; > > > next if $bannlist{"$host"}; > > > $bannlist{"$host"}=1; > > > # system("/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www > > > -j DENY"); > > > print "Worm victim: $host\n"; > > > } > > > > > > > > > -- > > > VALLIET Emmanuel ! http://www.webmotion.com > > > Webmotion Inc. ! mailto:emmanuel.valliet@webmotion.com > > > Oxymoron: Stuck in traffic. > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > > > with a subject of "unsubscribe". Trouble? Contact > > > listmaster@lists.debian.org > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > -- Karl E. Jørgensen karl@jorgensen.com www.karl.jorgensen.com ==== Today's fortune: The rate at which a disease spreads through a corn field is a precise measurement of the speed of blight.
Attachment:
pgpzNkQFJX8q2.pgp
Description: PGP signature