[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?

Subject: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
From: "Gerald Waugh" <gerald@xxxxxxxxx>
Date: Thu, 20 Sep 2001 23:00:01 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

The following script came from the isp-linux list.
It will put the offending IP in an ipchains rule to block it.
Recomended that you clear every couple
days to remove IP that may have been fixed.

# Modify to fit your system
>Bill Larson wrote on the isp-linux list
> #!/usr/bin/perl
>
> # IISBLOCK - Infected IIS server blocking utility.
> # by Bill Larson <blarson@xxxxxxxxx> of Compu-Net Enterprises.
> # http://www.compu.net. This header must be kept intact if you
> # wish to redistribute the script.
>
> my $check = 0;
> my $line = "";
> my $weblog = "/etc/www/logs/access_log";
> my $infection = "/root/infected";
> my $removelist = "/root/fwclean";
>
> # create the removelist file so that you can chmod it later and
> # automatically clear the firewall.. chmod 700 iisblock
>
> open (HTFILE3, ">$removelist");
> print HTFILE3 "#!/bin/sh\n";
> close(HTFILE3);
>
> #open the web server log file specified above and start processing
>
> open (HTFILE, "$weblog");
> until (eof (HTFILE))
> {
>   $line  =<HTFILE>;
>   chop ($line);
>
> #Pattern match on IIS Attempts then strip down to the hostname/ip addresss
>
>   if ($line =~ /.*\/winnt\/system32\/.*/) {
>     $line =~ s/\ -.*//gi;
>
> # This host is infected so lets do something about it.
>     &infected;
>   }
> }
> close(HTFILE);
>
> sub infected {
>   $check = 0;
>
>    # begin a check to ensure that we only take action once.
>
>   open (HTFILE2, "$infection");
>   until (eof (HTFILE2)) {
>      $dupe  =<HTFILE2>;
>      chop ($dupe);
>      if ($line =~ /$dupe/){
>         $check = 1;
>     }
>     else {
>     }
>   }
>   close(HTFILE2);
>
> # If this is a unique host continue
>
>   if ($check eq "0") {
>
> # time to add to the list of infected hosts
>
>     open (HTFILE2, ">>$infection");
>     print HTFILE2 "$line\n";
>     close(HTFILE2);
>
> # add using the specified add command
> # firewall software will print an error on invalid hostnames.
> # Zap them one at a time maunally
>
>     system ("/sbin/ipchains -I input -s $line -j DENY -l");
># TO ONLY DO RULES IN RAM --- STOP --- HERE

> # write firewall removal line to the remove list file
> # modify this line for your specific firewall software
>
>     open (HTFILE3, ">>$removelist");
>     print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
>     close(HTFILE3);
>   }
>
> # That's all folks!
>
> }
>

Follow-Ups:
- Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
  - From: Alisa Young

References:
- Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
  - From: David Yates Buckley
- Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
  - From: Jeremy Hull

Prev by Date: Re: [cobalt-users] Re: [cobalt-security] Nimba scanner shell script
Next by Date: Re: [cobalt-security] LDAP
Previous by thread: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
Next by thread: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index