Date: Wed, 19 Sep 2001 16:59:14 +0400 From: "Vladimir B. Grebenschikov" <vova@express.ru> To: "Karsten W. Rohrbach" <karsten@rohrbach.de> Cc: "Gib Gilbertson Jr." <gib@tmisnet.com>, freebsd-security@FreeBSD.ORG Subject: Re: NIMDA Virus Message-ID: <15272.38562.675553.16495@vbook.express.ru> In-Reply-To: <20010919131752.E52106@mail.webmonster.de> References: <F143IQrttDRdNOUivlQ00013ed8@hotmail.com> <5.1.0.14.2.20010918232719.00a6ba90@pop3.norton.antivirus> <20010919131752.E52106@mail.webmonster.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--itn1syND1l Content-Type: text/plain; charset=us-ascii Content-Description: message body text Content-Transfer-Encoding: 7bit Karsten W. Rohrbach writes: > Gib Gilbertson Jr.(gib@tmisnet.com)@2001.09.18 23:30:04 +0000: > > Hi All. > > > > You might want to check your httpd logs... I checked mine and in less than > > 22 hours they had grown from 0 bytes at log archive time to over 600 meg.... > > > > Just a heads up.. Accesses are coming in so fast that the log is a blur > > going by.. > > quick 'fix' for excessive error_log size: > > ErrorLog "|exec grep -v 'File does not exist:' >/wherever/error_log" > > this will not log any more 404 throwing file not found errors Quick fix for it using very simple netgraph module in attached tarball --itn1syND1l Content-Type: application/octet-stream Content-Disposition: attachment; filename="ng.NIMDA.tgz" Content-Transfer-Encoding: base64 H4sIADqWqDsAA+0ba3PaSHK/wq/oOHV7EAsMfoTEjn1RQLa1y8MHIlnX1hYlSwNoAUklCTvO 7d5vv+6ZEQgM9qY2l+xdzeQBmunp50x3z7TwWTKK7HC857qxyxLmJHv+aLB4KDvf/flWrVRe Hh7CdwBwUK2tfGKrHh5WDgBqB0f71epBZb+CXUcv9w+/g8oXoP1km8eJHQF8dxvc2o/BPTX+ P9ryey/y8AJWbY491FkPwvvIG40TKDhFqL5+/bK0X6lUweq9g53uPI492wfjYxixON7RwPSd Mk3Tp1Pg02LAERbdMpf307/e/OZXJAFJAMmYwTCYToM7zx9BcDP1RnbiBX4Mtu+C68XO1PZm LIJgCHd2FNl+cq/BPGY0TrgihkBJ5N3MaRqBJWMvhjgYJgjPNPB8fJhHDoMAsQjCTuAS2WgW a3DnJWMcIlz0NZgnMAtcb+g5KSMRAybkm95DyKKZlyTMhZt7WBP/hJCEUXDruczVYBzcsVsW aciRnRzTWLUMun/PRbNJPwyB3bkj6HDW2RZmZ7hCURRnOscHBCNs2JyFcfwg8XCafRPcct2s aXajJj0Wn6R63C9DO0gtRiKPCILEQAXayPTM9n2aHXHFaWQ8MoNUgeRHKkKDZuKWIYlsl83s aBJrkndihRijzsXqWZ27A2hG20XFJV6M8Bow3w2imM2YnyAiUgyiiO68mOzisDABO5Y44rkz BjsMmR3FxDjREip5oCnEIwHStbJYn9al2YNe59z6oHcNwO/vDLN9AVfdznuzYTTg3TV8QBCr aUC902r122Zdt8xOuwc7eg/hcRvo7QbH1EFkBrT0n8xWvwXGT5bRtuDK6LZMyxKYmvoHbRu6 lv6j0YN2h1B1jauu0cPpcqzTBWSvq7ct0+hpiJqGebfZumqaRkPDKRd6t0Gsr0ikETqzXW/2 +dgH07rs9C1omsgUR07sX5MIoDebKboMNeicE4qW0a1fYo/+zmya1rUG56bVJh7OkQkdrvSu Zdb7Tb0LV/3uVadnaMRdu9Mume3zLpI2WigO1/oW+RsdLr6V0tbgoq/TF0PgIv0Qr5v0kxXe gH7PQK75JHpEyH7TIkEyo1xL3D8tTN8GC23F4UwEr3e6XaPOhUQd1ev9rl6/Jj03TakEItBB lN0PZs8oC0WjBGC8J8P3LkmhW4R9ZwChwQGuP7RAQ2/pF0ZPSEcMkzTn3U6LqOhds0fPZDpk j+AzYiyNvbQ0V/QWYzdMEoyAl9/quNhRnU0NeldG3aQvxk8Grga9e83X0BVyb5nvhS3qKIPx zz7OQMiUdY02DaqJW5p46/Xf9SzT6lsGXHQ6DVqvXONG971ZJ/hmp8fV3afl0tAtnXAjElxb OHrZ+YCaRGI6jjf4Eu23G0Y3XQSo+U73muYvLEKbyyCLkCWQSQtthuL1rK5Zt7JgtDQ6XYvQ FJa7o21cNM0Lo103VkxbXOgfsZICP+jXqSmWK+qBM9H4QgDzfNsiQFi98d4k4SQm3Dg9U/BI 6LgO65dSwWURpPfyIoJzehT+fIoZ+Omy2Bv5GKzQZ2NkwnCEXh99cNtsNXS4Q0cOt140jyG0 nQlDz08Y0P9iOjRiFCnMK/LifhwGUaKBg7GODYcYlbxbjIVDb5pgSJjaEQIj2BCDJgwx4pA7 zuVy76e26828CN6V4SJiN8yPnbE3CW7hDSVSb2VULUfzMyHE8zTCvYnv473QjuxZeXy21o3/ kg3dLIr84GH3hEU+mz7sn2EADpwN/Tfz4QaaAannYb+T3IdstdtnqGGW7Hn+tv7BBgkWo+GD fpGZY242Q12hWbYByC/b56M+462zs6kfguB6giu07TgIJhgnhwHZB/MsTFZ4H+/6Vx5ko65B mMtBTj6cLIY8P4EtzfNd9vEk//vJgpxYt6vkwsi7de3ERnI5Gic6/MuSxjpjSwJPw2DC9zSQ UAxnlSzusiGsc/cidgahkKQttQozhgmlGwthMJ10KMV2MNnjc4NokOT8UZTtOckAxuN54gZ3 voSKZkLoJYDP7rjixbh8ygJEDuctRSCesgCUFgaY1zmJhFl2oCgrspDc5E+cyAuR0YxMUhOI jsNklxLvkeOnZMD2xQD9d4/iDn9oNHoNw8KAM2h3GsbAur4yaKDfbOLHmm5WB4Q65IOUfQmR BRRib3xaiivnkIXbhnXR1a8uByaGt8JCFg2+3yJa8UT6X0yhXUo1FyznM2rCjZBfk6gg1jO8 oM+wmEcF0SpaLKqTfI62D7o2VPgpVJBOroUpRKdeSEE0oBn4v/eJBcPCi7S/qEFrkErCv3c+ 6KZVJJRDWEyH01MguYv5XC5iyTzyoWC0Oy2jRZA3n1gUZEmtEyHJOb5CyiP5KXvCBlwyJ5jN Ar+wTW8aCLmLRVoaufOuYWSILdknVhbccULU83s+V5CKK53RNDthyEBGd+nX0hn3K6dSzziS Iqsgot9T4+kuHsv43t9kNrnEUpPxxSf9Hv/QhN3BGdu4OXx7xrg9RSe3auyQfnDegt1Ue6gO ZxYWaJIGK7vistP5EddhkexUEWqKndIZBRfyzKfS2eZy9JlVw/cC7CSXQ00Bm+Jh6Q9Qwgxm nRT6xz9Ei/vRzyAlvq9TSyPQHyCY+uSUJsKRqxamLeCJ7b3e5OtzzdjS2l3mMA8PhnwX0JEz tTwNIv+8Hxcwi2EYBTM87seRI+LhHYM7D8/vdP6Vx3UvxDOrS9kMT7WmCDYPYSsqN04eokLn ikkAv3V4BB9HxtHQFQI/CnNUMeV7mOwFEXPlQXaxhsWaBNyDUw8p//wLd8YAO3vCncd7URAk ZfaR/WNH4/2tnt6or/Wm/nF9Z0iXWljZDNLpUzoFL2YahUIbB+lj474QJl7bHTnBOOKQnnAY zH1Xfvc2eEcRrfme4up9dgqZ7YLLDDCk+QFdpYRzaQJUEy4cXKDkfwZ05ChIfsnLpAuK0KPL QZ+IAp3CLAlcAhMMEmA+h4YqeDjGmeQMPRNfv/8eUt3/7P1yAt7uLvAlL7KjCSdDZi5M+DSY wBuYlc5mgynz8Wl3twh5vrhJMGTg58kvtG9eFJZYixJhmnLFnxAVGgExZKFOFjC0Qz/BGRRS QlCCSZHiAJ+a7V2ZNGMz2takhl208xI32vyT3M6IJFVCVU7+nTts4e74WFFqHY/sDaF1bkgN 1twAmmJpDdroj81LnVV20hZv35PZFV3YObjP8FiUPUHh3yTynMl9GcwhbdOxjc7iBvcbeoop Gyb8kk3cKAmKuBN9BJR3gDf2DZ6Q7myfX3Oyj4SMnBe6i5hNb5m44JwywkqXUMldACFjEb/J Qj+Ae3vq+RM8utF02xmLrV6GzuLyC5mKx8F86sKvdDtI6SJwicR1mI0LPcJjjkiq7wiwnEoY wISxUNx+OUHIj3o84XWCKOJXszgSoTbxUEIM7JAAtpPscKwuF5L7IGKb+BTex6fwf2PjKYNf Aj+IoSJny4bQdV+wzEseRkrRMZzaoxh+O6U1wH282TihZG7gzBPOCUdfFH1zn8LPsieLEkTm kwJGbFhYTRhoxqM5ycZ1dUk+ZZlXojPfpIklQNZtfoZnXD+pvBDTxvzhlEff1fEirERRUuiP eq9ndK2CmPRM6EODws7f4mPw57gEaWBHg8HgvN+u0w3FYFBMU0hJapFq0C7/7Tex21fH6E59 25jY6dIzSyWJcCb8MocuncmEQBpMeKKsYvz5TMyS/ocI0QFILLglJE8cYdV0OTLety7BfNPm P1X/+/efp/FU/a92tC/qf5WX+5XDGna9rBweqfrf12ifWf/D/16r+p+q/6n6n6r/qfqfqv+p +t83rv+BPsfIFR3D51XcMpXDR8qGrofxjBy3eVVKi3x4jMGzIh4jRkGEUYQQYDhchi66yrLl VZa8xxKbAU8kdsxPjSOG4QRPpzxtP4Y4cjSgazGKXZjN34hIFQYYIm6mTJ4JXDbEE6kr6eGR Z+iN5pGgQyc0QeRqUc7EkMEicYbmsiVjPNSOxkSNsymv4WK6nbNDm0Dtke3RSYpOv1TVZDzW Elfso4coUxTi+o6SBzpiioNzHAa+640wvCXOGHFxHCXCQZxE92VV5lRlTlXmVGVOVeZUZU5V 5lRlTlXmVGVOVeZUZU5V5lRlTlXmVGXOb1TmfKr+N/4CNabH639wWDs6XP7+76jGf/93cKDq f1+jbar/jbfX/9Tv/1T9T9X/VP1P1f9U/U/V//4C9b//n9//DX0qOiyOH9nbtEH+uSj/bRvm 9/i8ysfv56kqR4FwZo/obohOCIyopFg2X8vndhYp0E4GtJWBrXc6P5pG7nX1ZbVSfXX0ihPm 5yGiGW+lIS85MWnf8fydR2BwHREQpiKPQYnvCJdyi/rDUIlHBmRns4qItU3535P5/3/9/T84 PDqsPnj/b1+9//dV2mfm/+r9P5X/q/xf5f8q/1f5v8r//wL5/596/08l3d8m6f4LtQ35f3xP lZthGUUbfhEaT+T/1f2XtbX8/+jgsKby/6/RSqUSf5l2Lwh5LloOMFXKWXMGP8x9gCOoVo73 X+NfoKv//O7u7gp47jzyBGQVDwjHB7XjioR8+xZK+69eaS9hlz5q8PZtHha7xLKucznEMVi+ 1JkZ7ZuPDL7/of5gdPfh9nuAIA/PQbdaULjUu1eASWaMAhTz1IcupmsIpDa9t5pfaGXoTdk2 nVSrazrhwOsaOTo+zGikdvSaNEIfQiPZ91OT5L7s5IRmqaoth6h/FbBvboTrm6tgt786G+Gw P7+7+cVYBx6CL0Y59r146gQzEUu2IYf0ZV/bcYYD/nZ2BhQ7MXMfiCskPro2YZwk4fYJNPpX 96r/O22D/09YnJTjL1H4lQ39f+3oaLv/r9aO1vz/4YH6/efXac+f7d14/l48xmwm/xyciNGL I+mq4LfJMfYjjEun81qNfhSCB3Sga2E+Bd7wV80K2H9cqxXPSiXPf7NYTfRqRKn0Bv+XMMUz mrOxSS/zPO+PnGQKpSGU4M0bMDCbnk3o1SFYoAV3PpvdpzN47lk+ln1unAE/hon4aQMd+bmL iey7PSFDfhaPOAwOcQH5eKXM/6AsG9HQLdE6HuKQlDdmzgS1NL2nO49gRlce6e36s2fPgPTI wLEjNpxP6eUmx/b/nqTT5skoyM4oEbyXiLcnp8zm70mlg869MxXpdmj7npP3wuEdvU+JQUfa By2VOKF8j9K/p8n08aqCvBGzmLfi803gErP0U5mYbrYEUzhiT+8/MalfRlSILBqGv6ZSsoVO pPoRmz2kcgDdbKXv9K+vIWHTxSjNV15cNdVUU0011VRTTTXVVFNNNdVUU0011VRTTTXVVFNN NdVUU+3Ltf8AsvO0tQB4AAA= --itn1syND1l Content-Type: text/plain; charset=us-ascii Content-Description: message body text Content-Transfer-Encoding: 7bit #!/bin/sh # # create netgraph nodes # bind on 77 divert port # # <input(div:77)>--in<ddsdetect>out--<output(div)> # detect # ngctl -f - << EOF mkpeer ddsdetect dummy detect name .:dummy dds mkpeer dds: ksocket in inet/raw/divert msg dds:in bind inet/0.0.0.0:77 mkpeer dds: ksocket out inet/raw/divert EOF # check only incoming packets !!! # be careful we can't check outgoing packets - # it will lead to packets cycle and panic ipfw add 1 divert 77 tcp from any to any 80 in # if anybody interested we can analyze detected DDS pakets nghook -a dds: detect # after all shutdown netgraph nodes ngctl shutdown dds: > /k -- TSB Russian Express, Moscow Vladimir B. Grebenschikov, vova@express.ru --itn1syND1l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15272.38562.675553.16495>