Re: iptables anti-nimda anyone?
From: hvdkooij@vanderkooij.orgDate: 09/21/01
- Previous message: pierre.lombard@imag.fr: "Re: iptables anti-nimda anyone?"
- In reply to: Rob 'Feztaa' Park: "Re: iptables anti-nimda anyone?"
- Next in thread: Bretscher;Johannes;ja: "Re: iptables anti-nimda anyone?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: hvdkooij@vanderkooij.org Date: Fri, 21 Sep 2001 17:25:54 +0200 (CEST) To: Bugtraq - Focus Linux <focus-linux@securityfocus.com> Subject: Re: iptables anti-nimda anyone? Message-ID: <Pine.LNX.4.33.0109211714110.16638-100000@ultra1.hugo.vanderkooij.org>
On Thu, 20 Sep 2001, Rob 'Feztaa' Park wrote:
> On Wed, 19 Sep 2001, Konrad Michels (dis)graced my inbox with this:
>
> > Hi everyone
> > I don't suppose one of our iptables gurus out there has an iptables rule
> > to filter out this damn nimda thing? I'm really annoyed about it
> > filling up my apache logz and would love to drop the packets 'ere they
> > get to the apache server . . .
>
> I don't think that's possible, you'd have to be able to check the contents
> of the actual packet; right now iptables is only capable of checking the
> headers.
>
> But believe me, i'd love to set up a rule that automatically drops nimda
> traffic :)
Combine snort with iptables so after the first hit you shutdown HTTP
access for that station.
Reducing apache logging could be done by making sure you have aliases for
the requested pages so you will only get access logging instead of access
+ error logs that fill.
In case you want to trace the infected machine you can use the following
script:
#!/bin/sh
LOGFILE=$1
grep root.exe ${LOGFILE} | \
sed "s/\[//g" | \
awk '{print $1 "\t" $4}' | \
sort -r | uniq -w 14
Then take the addresses that belong to nearby ISP's and report them. The
only way to stop this is for ISP's to shutdown services to users known to
be infected.
My proposal would be to use the following schema:
- Close down offending accounts temporarily.
- The user will call the helpdesk to find out why they can't login
anymore and the helpdesk should give cleaning instruction to the user.
- The user account is activated on probation.
- Should the user fail to cure the issue then the account should be
closed down permanently.
There are no sweet ways to cure this. After CR has had media attention and
all I keep getting about 15 to 18 hits per day for the last two weeks
while it could have been cured if the response had been more vigorously.
I don't expect this one to cure by itself untill we take strict
countermeasures. ISP's that don't cooperate should get no cooperation
themselves.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
- Previous message: pierre.lombard@imag.fr: "Re: iptables anti-nimda anyone?"
- In reply to: Rob 'Feztaa' Park: "Re: iptables anti-nimda anyone?"
- Next in thread: Bretscher;Johannes;ja: "Re: iptables anti-nimda anyone?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
