[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?

Subject: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
From: Alisa Young <ayoung@xxxxxxxxxxxx>
Date: Fri, 21 Sep 2001 10:16:32 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

on 9/20/01 11:00 PM, Gerald Waugh   at gerald@xxxxxxxxx wrote:

> The following script came from the isp-linux list.
> It will put the offending IP in an ipchains rule to block it.
> Recomended that you clear every couple
> days to remove IP that may have been fixed.
> 
> # Modify to fit your system
>> Bill Larson wrote on the isp-linux list
>> #!/usr/bin/perl
>> 
>> # IISBLOCK - Infected IIS server blocking utility.
>> # by Bill Larson <blarson@xxxxxxxxx> of Compu-Net Enterprises.
>> # http://www.compu.net. This header must be kept intact if you
>> # wish to redistribute the script.
>> 
>> my $check = 0;
>> my $line = "";
>> my $weblog = "/etc/www/logs/access_log";
>> my $infection = "/root/infected";
>> my $removelist = "/root/fwclean";
>> 
>> # create the removelist file so that you can chmod it later and
>> # automatically clear the firewall.. chmod 700 iisblock
>> 
>> open (HTFILE3, ">$removelist");
>> print HTFILE3 "#!/bin/sh\n";
>> close(HTFILE3);
>> 
>> #open the web server log file specified above and start processing
>> 
>> open (HTFILE, "$weblog");
>> until (eof (HTFILE))
>> {
>> $line  =<HTFILE>;
>> chop ($line);
>> 
>> #Pattern match on IIS Attempts then strip down to the hostname/ip addresss
>> 
>> if ($line =~ /.*\/winnt\/system32\/.*/) {
>> $line =~ s/\ -.*//gi;
>> 
>> # This host is infected so lets do something about it.
>> &infected;
>> }
>> }
>> close(HTFILE);
>> 
>> sub infected {
>> $check = 0;
>> 
>> # begin a check to ensure that we only take action once.
>> 
>> open (HTFILE2, "$infection");
>> until (eof (HTFILE2)) {
>> $dupe  =<HTFILE2>;
>> chop ($dupe);
>> if ($line =~ /$dupe/){
>> $check = 1;
>> }
>> else {
>> }
>> }
>> close(HTFILE2);
>> 
>> # If this is a unique host continue
>> 
>> if ($check eq "0") {
>> 
>> # time to add to the list of infected hosts
>> 
>> open (HTFILE2, ">>$infection");
>> print HTFILE2 "$line\n";
>> close(HTFILE2);
>> 
>> # add using the specified add command
>> # firewall software will print an error on invalid hostnames.
>> # Zap them one at a time maunally
>> 
>> system ("/sbin/ipchains -I input -s $line -j DENY -l");
>> # TO ONLY DO RULES IN RAM --- STOP --- HERE
> 
>> # write firewall removal line to the remove list file
>> # modify this line for your specific firewall software
>> 
>> open (HTFILE3, ">>$removelist");
>> print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
>> close(HTFILE3);
>> }
>> 
>> # That's all folks!
>> 
>> }
>> 
> 
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

I'd like to use this on my Raq4i, how do I modify this script to work.
Somewhat newbie.

Thanks
Alisa

Follow-Ups:
- Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
  - From: David Yates Buckley

References:
- Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
  - From: Gerald Waugh

Prev by Date: [cobalt-security] unsubscribe
Next by Date: Re: [cobalt-security] NAT Question
Previous by thread: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
Next by thread: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index