[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
- Subject: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
- From: Alisa Young <ayoung@xxxxxxxxxxxx>
- Date: Fri, 21 Sep 2001 10:16:32 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
on 9/20/01 11:00 PM, Gerald Waugh at gerald@xxxxxxxxx wrote:
> The following script came from the isp-linux list.
> It will put the offending IP in an ipchains rule to block it.
> Recomended that you clear every couple
> days to remove IP that may have been fixed.
>
> # Modify to fit your system
>> Bill Larson wrote on the isp-linux list
>> #!/usr/bin/perl
>>
>> # IISBLOCK - Infected IIS server blocking utility.
>> # by Bill Larson <blarson@xxxxxxxxx> of Compu-Net Enterprises.
>> # http://www.compu.net. This header must be kept intact if you
>> # wish to redistribute the script.
>>
>> my $check = 0;
>> my $line = "";
>> my $weblog = "/etc/www/logs/access_log";
>> my $infection = "/root/infected";
>> my $removelist = "/root/fwclean";
>>
>> # create the removelist file so that you can chmod it later and
>> # automatically clear the firewall.. chmod 700 iisblock
>>
>> open (HTFILE3, ">$removelist");
>> print HTFILE3 "#!/bin/sh\n";
>> close(HTFILE3);
>>
>> #open the web server log file specified above and start processing
>>
>> open (HTFILE, "$weblog");
>> until (eof (HTFILE))
>> {
>> $line =<HTFILE>;
>> chop ($line);
>>
>> #Pattern match on IIS Attempts then strip down to the hostname/ip addresss
>>
>> if ($line =~ /.*\/winnt\/system32\/.*/) {
>> $line =~ s/\ -.*//gi;
>>
>> # This host is infected so lets do something about it.
>> &infected;
>> }
>> }
>> close(HTFILE);
>>
>> sub infected {
>> $check = 0;
>>
>> # begin a check to ensure that we only take action once.
>>
>> open (HTFILE2, "$infection");
>> until (eof (HTFILE2)) {
>> $dupe =<HTFILE2>;
>> chop ($dupe);
>> if ($line =~ /$dupe/){
>> $check = 1;
>> }
>> else {
>> }
>> }
>> close(HTFILE2);
>>
>> # If this is a unique host continue
>>
>> if ($check eq "0") {
>>
>> # time to add to the list of infected hosts
>>
>> open (HTFILE2, ">>$infection");
>> print HTFILE2 "$line\n";
>> close(HTFILE2);
>>
>> # add using the specified add command
>> # firewall software will print an error on invalid hostnames.
>> # Zap them one at a time maunally
>>
>> system ("/sbin/ipchains -I input -s $line -j DENY -l");
>> # TO ONLY DO RULES IN RAM --- STOP --- HERE
>
>> # write firewall removal line to the remove list file
>> # modify this line for your specific firewall software
>>
>> open (HTFILE3, ">>$removelist");
>> print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
>> close(HTFILE3);
>> }
>>
>> # That's all folks!
>>
>> }
>>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
I'd like to use this on my Raq4i, how do I modify this script to work.
Somewhat newbie.
Thanks
Alisa