FreeBSD Mail Archives

Date:      Wed, 19 Sep 2001 16:59:14 +0400
From:      "Vladimir B. Grebenschikov" <vova@express.ru>
To:        "Karsten W. Rohrbach" <karsten@rohrbach.de>
Cc:        "Gib Gilbertson Jr." <gib@tmisnet.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: NIMDA Virus
Message-ID:  <15272.38562.675553.16495@vbook.express.ru>
In-Reply-To: <20010919131752.E52106@mail.webmonster.de>
References:  <F143IQrttDRdNOUivlQ00013ed8@hotmail.com> <5.1.0.14.2.20010918232719.00a6ba90@pop3.norton.antivirus> <20010919131752.E52106@mail.webmonster.de>


[-- Attachment #1 --]
Karsten W. Rohrbach writes:
 > Gib Gilbertson Jr.(gib@tmisnet.com)@2001.09.18 23:30:04 +0000:
 > > Hi All.
 > > 
 > > You might want to check your httpd logs... I checked mine and in less than 
 > > 22 hours they had grown from 0 bytes at log archive time to over 600 meg....
 > > 
 > > Just a heads up.. Accesses are coming in so fast that the log is a blur 
 > > going by..
 > 
 > quick 'fix' for excessive error_log size:
 > 
 > ErrorLog "|exec grep -v 'File does not exist:' >/wherever/error_log"
 > 
 > this will not log any more 404 throwing file not found errors
 
Quick fix for it using very simple netgraph module in attached tarball


[-- Attachment #2 --]
�:��;�ks�Hr�¯�8u{~�Ď}Q@����"Y��%KhI%	;���o����6��]������Lwϴ�Y2��p�纱��${�h�x(;���V�T^�wpP��|b�VjG���Ae��]G/������d�ǉ|w�ڏ�=5�?��{/��Vm�=�Y����(8E��~���_�T�꽃��<�=��c�8�����2MӧS��b��2��ӿ���W$Iɘ�0�N�;�Ap3�Fv�~�������f,�`wv�~r��<f4N�"�@I���i�%c/�8&�4�||�G���N��hkp�%c"\�5�'0\o�9)#&��CȢ��$̅�{X����Qp���`ܱ[iȑ��X���E�I?�ݹ#�p��fg�BQg:�#l؜�q� �p�}�rݬiv�&=��z�/C;H-F"���@�����}�q�id<2�T��G*B�f�!�l���hk�wb�����Y��hF�E�%^��0�
��͘� "R����0;�8�3;���8�*y�)�#ҵ�X�֥ك^����w
����}W��{�a4��5|@�i@��j��f]��N�;z�q����Ad����V��O�Ѷ���L����m����уv�Pu������r��d���-��i���y�ٺj�FC�)z�A��H�:�]o���Ӻ��-h��GN�_��7�)�5���ѭ_b���l�ֵ��&Α	���e��M�W��U�gh�]��.���.�6Z(���.����ࢯ�C�"�����ހ~�@��$zD�~�"A2�\K�?-L�m��L�w�]�΅D����^�&=7M�"�A��f�(E�`�'��.I�[�}g���?�@Co�FOHG�4��N���]�G�d:d��3b,���4W�c7L������Q�M
zWFݤ/�O��{���ro��-�(���>�@Ȕu�6
��[�x����,��[\t:
Z�\�F��Y'�f���ݧ���-�p#\[8z����Db:�7���F7]��N���/,B�� ��%�Im�����Y��`�4:]�����m\4��]7VL[\���?�ש)�+�3��B�|�"@X���$�$&�8=S�H��R�e���"�sz�|�������gcd�p�^}p�l5t�CG�^4�!��	C�O��b:4b)�+��~Q�����
���[��Co�`H��#��&1�;��r臨�ͼޕ�"b7̏��7	n�
%RoeT-G�3!��4½���Ў�Yy|�֍��
�,���a��E>�>�a�
�7�����a��܇l��g�a��y����	��~��cn6C]�Y��/��>㭳����z�+��8&'���,LVx��Wd��A��AN>�,�<?�-��]��$��ɂ�X����Ȼu��Fr9':�˒�:cKO�`��4�Pg�,�!�s�"v���-�
3�	�a0�t(�v0��s�h���Q��9���y�w���fB�%����Ÿ|�D�-E �����9��Yv�(+����O���ьLR���d���d����w��h4z
�3hw����2h��l�ǚnV�:䃔}	�bo|Z�+琅ۆu�կ.&���B
��"Z�D�_L�]J5,�3j�_�� �3��ϰ�G�*Z,��|���6T�)T�N��)D�^HA4���������Ak�J¿w>�U$�CXL��S ���\.b�<�`�;-�E�7�XdI�!�9�B�#�){�\2'����Mo��EZ��ad�-�'V�qB��{>W��+��4;a�@Fw����+�R�8�"� ��S��.����d6��R���'��Є��۸9|{Ƹ=E'�j�~pނ�T{�gh�+�����a��Tj����̧���r��U���$�CM��a�P�f���?D���� %��SK#� ���&��-�������s����]�0�|Б3�<
"��0�a3<�Ǒ#���;��t���u/�3�K�O��6a+*7N�B�I�uxG���?
sT1�{��s�Av��Ś܃S)��w�;{�{Q$e���cG����ި����q}gH�ZX���S:/f�B�c�&^�9�8␞p�}W~�6xG�����}v
���0��]��siT.\��t�(H~�ˤ�У�A����,	\`>��*x8ƙ�=_��R����r��.�%/��	'Cf.L�4�����f�)��iw�y��I0d���/�o^�X�a�rş1d�N0�C?�RBP�I�����]�4c3�֤�]��7����Έ$UBUN��;l���XQj��
�unH
���bi
���K�Uv�oߓ�]�9���X�=A��$��}�!mӱ����z�)&��M�(	��}�w�7�
���l�_s��������Mo����2�J�P�]!c��B?�{{��<��t���^��������|�¯t;H�"p��u��=�c�H����J���P�~9Aȏz<�u�(�W�8�6�PB����p�.�� b���ǧ�c�)�_?��"gˆ�u_��KFJ�1�ڣ~;�5�}��8�dn���	G_}s��ϲ'�D�FlXXMhƣ9��uuI>e�W�3ߤ�%@�m~�g\?������G���"�DQR�z�gt����L�C�����c��i`G���߮�
�`PLSHIj�j�.��7��W��N}ۘ���3K%�p&�2�.�Ʉ@Lx��b��L̒���H,�%$Oa�t92޷.�|��?U������T��v�/������v������h�Y���^������������������7���>����U�2��Gʆ����yUJ�|x���"#FA�Q�`8\�.�ʲ�U����O$v�O�#��O�<m?�8r4�k1�]��߈H"n�L�	\6��+��g�摠C'4A�jQ�Đ�"q��%c<Ԏ�D��)��b���C�@���I�N�T�d<�W죇(S����:b��s��0�%�qq%�A�D�eU�TeNU�TeNU�TeNU�TeNU�TeNU�TeNU�TeNU�Te�oT�|��7�5���pX;:\�����wp��_�m���������T�O��T�O��T�O���������
}*:,��۴A��(�m��������*G�pf��n�N���X6_��v)�N����w:?�F�u�e�R}u���!�o�!/91i����G`p�"�A���r���P�Gdg����M�ߓ����?8<:�>x�o_���U�g����?����_��*�W��������z�O%��&���
�|O��aE~O����������ద����J��v/y.Z0U�Ys?�}�#�V��_�_�������
x�<�d��㊄|�J��^i/a�>j��m�Ĳ�s9�1X�ԙ훏����`t���{� �A�ZP�ԻW�If��ԇ.�k�6���_he�M�6�T�k:���9:>�h�v��4BB#��S����f��-���on�뛫`��:�?����X�/F9��x�3K�!��e_�q��vv;1s�+$>�6a�$��	4�W���;m��OX���/Q��
���h���֎��������iϟ��x�^<�l&���ы#���1�#�K��Z�~�t�ka>��W�
�\��J%��XM�jD����0�3���I/�<d
�!���00��M��!X�w>�ݧ3x�Y>�}n�?���i�����=!C~�8q�x����,��-�:␔7f��4��;�`FW����gπ����#6�O��&��������(��(����'����I��ν3�vh�������O�AG�-�8�|�ҿ���񪂼�����M���S��n�S8bO�?1�_FT�,���R��N���=�r�l�����!a��(�W^\5�TSM5�TSM5�TSM5�TSM5�TSM5�TSM5�TS�˵���x
[-- Attachment #3 --]

#!/bin/sh

#
# create netgraph nodes
# bind on 77 divert port
#
#  <input(div:77)>--in<ddsdetect>out--<output(div)>
#                       detect
#
ngctl -f - << EOF
mkpeer ddsdetect dummy detect
name .:dummy dds
mkpeer dds: ksocket in inet/raw/divert
msg dds:in bind inet/0.0.0.0:77
mkpeer dds: ksocket out inet/raw/divert
EOF

# check only incoming packets !!! 
# be careful we can't check outgoing packets - 
# it will lead to packets cycle and panic
ipfw add 1 divert 77 tcp from any to any 80 in

# if anybody interested we can analyze detected DDS pakets
nghook -a dds: detect

# after all shutdown netgraph nodes
ngctl shutdown dds:


 
 > /k

--
TSB Russian Express, Moscow
Vladimir B. Grebenschikov, vova@express.ru

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15272.38562.675553.16495>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation