[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?

Subject: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
From: David Yates Buckley <yates@xxxxxxxxx>
Date: Sat, 22 Sep 2001 18:35:05 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello,

In my opinion, if you do not know how to modify you really should not touch
scripts like this, a typo could do strange things and you would not know
where to check.

I, myself, though I see where to modify it resolved that its better to not,
I already _nearly_ killed my raq with a silly command... (thanks Taco)
If you were a huge ISP with a large number of very busy Raqs then it might
make sense, but then you could always try on one raq before doing it on one
which is in production.

One thing that is interesting to note: say you are using a firewall to access
your raq, and it is masquerading, and one of your pc's in your office got
infected, or even say there is some idiot in the office with a twisted sense
of humour that has bookmarked your own raq with winnt/system32 then you
suddely are locked out of your raq! And I believe you could be locked out
for quite a while! So when if in doubt, don't muck around with your raq,
that explains all these pkgs and patches etc...

Hope it helps,
Yates Buckley
Unit9 Ltd.

PS: --- funny dummy ---
My raq nearly died... and it was all beause I did a cd /root; chmod go-rwx .*;
DO NOT TRY IT, it basically changed the permission of / so nothing could run
except as root. Logfiles got really big _fast_, nothing worked. Taco found
the problem in a few hours with me in panick.. convinced I'd been hacked.
Just goes to show... you can know quite a bit and still nearly kill a unix
machine by accident, and _not_ realise!

At 10:16 AM 9/21/01 -0400, you wrote:
>on 9/20/01 11:00 PM, Gerald Waugh   at gerald@xxxxxxxxx wrote:
>
>> The following script came from the isp-linux list.
>> It will put the offending IP in an ipchains rule to block it.
>> Recomended that you clear every couple
>> days to remove IP that may have been fixed.
>> 
>> # Modify to fit your system
>>> Bill Larson wrote on the isp-linux list
>>> #!/usr/bin/perl
>>> 
>>> # IISBLOCK - Infected IIS server blocking utility.
>>> # by Bill Larson <blarson@xxxxxxxxx> of Compu-Net Enterprises.
>>> # http://www.compu.net. This header must be kept intact if you
>>> # wish to redistribute the script.
>>> 
>>> my $check = 0;
>>> my $line = "";
>>> my $weblog = "/etc/www/logs/access_log";
>>> my $infection = "/root/infected";
>>> my $removelist = "/root/fwclean";
>>> 
>>> # create the removelist file so that you can chmod it later and
>>> # automatically clear the firewall.. chmod 700 iisblock
>>> 
>>> open (HTFILE3, ">$removelist");
>>> print HTFILE3 "#!/bin/sh\n";
>>> close(HTFILE3);
>>> 
>>> #open the web server log file specified above and start processing
>>> 
>>> open (HTFILE, "$weblog");
>>> until (eof (HTFILE))
>>> {
>>> $line  =<HTFILE>;
>>> chop ($line);
>>> 
>>> #Pattern match on IIS Attempts then strip down to the hostname/ip addresss
>>> 
>>> if ($line =~ /.*\/winnt\/system32\/.*/) {
>>> $line =~ s/\ -.*//gi;
>>> 
>>> # This host is infected so lets do something about it.
>>> &infected;
>>> }
>>> }
>>> close(HTFILE);
>>> 
>>> sub infected {
>>> $check = 0;
>>> 
>>> # begin a check to ensure that we only take action once.
>>> 
>>> open (HTFILE2, "$infection");
>>> until (eof (HTFILE2)) {
>>> $dupe  =<HTFILE2>;
>>> chop ($dupe);
>>> if ($line =~ /$dupe/){
>>> $check = 1;
>>> }
>>> else {
>>> }
>>> }
>>> close(HTFILE2);
>>> 
>>> # If this is a unique host continue
>>> 
>>> if ($check eq "0") {
>>> 
>>> # time to add to the list of infected hosts
>>> 
>>> open (HTFILE2, ">>$infection");
>>> print HTFILE2 "$line\n";
>>> close(HTFILE2);
>>> 
>>> # add using the specified add command
>>> # firewall software will print an error on invalid hostnames.
>>> # Zap them one at a time maunally
>>> 
>>> system ("/sbin/ipchains -I input -s $line -j DENY -l");
>>> # TO ONLY DO RULES IN RAM --- STOP --- HERE
>> 
>>> # write firewall removal line to the remove list file
>>> # modify this line for your specific firewall software
>>> 
>>> open (HTFILE3, ">>$removelist");
>>> print HTFILE3 "/sbin/ipchains -D input -s $line -j DENY -l\n";
>>> close(HTFILE3);
>>> }
>>> 
>>> # That's all folks!
>>> 
>>> }
>>> 
>> 
>> 
>> _______________________________________________
>> cobalt-security mailing list
>> cobalt-security@xxxxxxxxxxxxxxx
>> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>I'd like to use this on my Raq4i, how do I modify this script to work.
>Somewhat newbie.
>
>Thanks
>Alisa
>
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>

Follow-Ups:
- Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
  - From: Ted Behling

References:
- Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
  - From: Gerald Waugh
- Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
  - From: Alisa Young

Prev by Date: Re: [cobalt-security] unsubscribe
Next by Date: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
Previous by thread: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?
Next by thread: Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index