Re: iptables anti-nimda anyone?

From: hvdkooij@vanderkooij.org
Date: 09/21/01


From: hvdkooij@vanderkooij.org
Date: Fri, 21 Sep 2001 17:25:54 +0200 (CEST)
To: Bugtraq - Focus Linux <focus-linux@securityfocus.com>
Subject: Re: iptables anti-nimda anyone?
Message-ID: <Pine.LNX.4.33.0109211714110.16638-100000@ultra1.hugo.vanderkooij.org>

On Thu, 20 Sep 2001, Rob 'Feztaa' Park wrote:

> On Wed, 19 Sep 2001, Konrad Michels (dis)graced my inbox with this:
>
> > Hi everyone
> > I don't suppose one of our iptables gurus out there has an iptables rule
> > to filter out this damn nimda thing? I'm really annoyed about it
> > filling up my apache logz and would love to drop the packets 'ere they
> > get to the apache server . . .
>
> I don't think that's possible, you'd have to be able to check the contents
> of the actual packet; right now iptables is only capable of checking the
> headers.
>
> But believe me, i'd love to set up a rule that automatically drops nimda
> traffic :)

Combine snort with iptables so after the first hit you shutdown HTTP
access for that station.

Reducing apache logging could be done by making sure you have aliases for
the requested pages so you will only get access logging instead of access
+ error logs that fill.

In case you want to trace the infected machine you can use the following
script:

#!/bin/sh
LOGFILE=$1
grep root.exe ${LOGFILE} | \
        sed "s/\[//g" | \
        awk '{print $1 "\t" $4}' | \
        sort -r | uniq -w 14

Then take the addresses that belong to nearby ISP's and report them. The
only way to stop this is for ISP's to shutdown services to users known to
be infected.

My proposal would be to use the following schema:
 - Close down offending accounts temporarily.
 - The user will call the helpdesk to find out why they can't login
   anymore and the helpdesk should give cleaning instruction to the user.
 - The user account is activated on probation.
 - Should the user fail to cure the issue then the account should be
   closed down permanently.

There are no sweet ways to cure this. After CR has had media attention and
all I keep getting about 15 to 18 hits per day for the last two weeks
while it could have been cured if the response had been more vigorously.

I don't expect this one to cure by itself untill we take strict
countermeasures. ISP's that don't cooperate should get no cooperation
themselves.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij@vanderkooij.org		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.



Relevant Pages

  • Re: [opensuse] system seems hacked...
    ... You seem to maintain tcpdump, libpcap, iptables and I sincerely hope that you don't take the same easygoing approach with those. ... I would say a user let someone use his account to run some ... unexpected software. ...
    (SuSE)
  • Re: Is there any way to set iptables as a non-root user?
    ... > iptables as a non root user of the computer. ... User 'root' is there for special tasks (such as ... Newbies in Linux world are often afraid of root account, ... forget about running iptables from account other than root, ...
    (comp.os.linux.security)
  • Re: IPtables web interface?? / Life with a dynamic ip...
    ... > have to constantly add my new ip address to the iptables. ... Get yourself an account with a dynamic IP/hostname service for your home ... If it has changed re-run iptables with the ...
    (comp.security.firewalls)
  • Re: IPtables web interface?? / Life with a dynamic ip...
    ... > have to constantly add my new ip address to the iptables. ... Get yourself an account with a dynamic IP/hostname service for your home ... If it has changed re-run iptables with the ...
    (comp.os.linux.networking)
  • Re: IPtables web interface?? / Life with a dynamic ip...
    ... > have to constantly add my new ip address to the iptables. ... Get yourself an account with a dynamic IP/hostname service for your home ... If it has changed re-run iptables with the ...
    (comp.os.linux.security)