From owner-freebsd-questions Thu Sep 27 11:21: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by hub.freebsd.org (Postfix) with ESMTP id 7C6FD37B408 for ; Thu, 27 Sep 2001 11:21:03 -0700 (PDT) Received: from leblanc.mirrorimage.net (leblanc.mirrorimage.net [209.192.210.146]) by mail-relay1.mirrorimage.net (8.9.3/8.9.3) with ESMTP id OAA05019 for ; Thu, 27 Sep 2001 14:21:02 -0400 Received: (from leblanc@localhost) by leblanc.mirrorimage.net (8.11.5/8.11.4) id f8RILmf15734; Thu, 27 Sep 2001 14:21:48 -0400 (EDT) (envelope-from leblanc) Date: Thu, 27 Sep 2001 14:21:48 -0400 From: Louis LeBlanc To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Apache server log Message-ID: <20010927142147.B15312@acadia.ne.mediaone.net> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <20010927152824.55499.qmail@web12501.mail.yahoo.com> <005801c14769$73498220$49e9b5ce@quasi> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <005801c14769$73498220$49e9b5ce@quasi> User-Agent: Mutt/1.3.22.1i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 09/27/01 11:30 AM, Marius Kirschner sat at the `puter and typed: > Yep, that's Nimda, alright. Nothing you have to worry about if you run > a unix system. Correct. However, there's no reason you can't do something about it. You've heard of Apache::CodeRed? Well, it's a mod_perl handler. It handles the requests for default.ida by looking up the requesting IP and sending a warning to the web admin and abuse authorities as well as securityfocus.com. I've hacked Apache::CodeRed to create Apache::Nimda. No great effort really, the hard part is getting the correct expression. Reuven Lerner wrote Apache::CodeRed, and I've really only made one small improvement to send a message to the parent domain abuse address (an attack from acadia.ne.mediaone.net should result in a message to abuse@mediaone.net, not abuse@ne.mediaone.net). Otherwise, the LocationMatch expression is the real key. Here is the list of URLs I am seeing (sorry for the long lines): 1: http://acadia.ne.mediaone.net/scripts/root.exe?/c+dir 2: http://acadia.ne.mediaone.net/MSADC/root.exe?/c+dir 3: http://acadia.ne.mediaone.net/c/winnt/system32/cmd.exe?/c+dir 4: http://acadia.ne.mediaone.net/d/winnt/system32/cmd.exe?/c+dir 5: http://acadia.ne.mediaone.net/scripts/..%255c../winnt/system32/cmd.exe?/c+dir 6: http://acadia.ne.mediaone.net/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 7: http://acadia.ne.mediaone.net/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 8: http://acadia.ne.mediaone.net/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 9: http://acadia.ne.mediaone.net/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 10: http://acadia.ne.mediaone.net/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir 11: http://acadia.ne.mediaone.net/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 12: http://acadia.ne.mediaone.net/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 13: http://acadia.ne.mediaone.net/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 14: http://acadia.ne.mediaone.net/scripts/..%252f../winnt/system32/cmd.exe?/c+dir Here is the LocationMatch section I am using now: # Handle nimda attacks. SetHandler perl-script PerlHandler Apache::Nimda It seems to miss one of the urls - #10, IIRC. I'm not as skilled with regexps as I would like to be, so I'm not sure how to include all of them yet. Still trying a couple things. As for where it is, I've notified the author of the original Apache::CodeRed module, for his feedback since I want to be sure I am giving proper credit where it is due. I have given him the URL to take a look at it, but the contacts at securityfocus have not been finalized. Right now, they are getting Nimda notices from me and probably wondering what the heck is going on. I would like to wait until I have the correct expression and some kind of feedback from the author, but I will likely release the module to the GP this weekend. Any feedback/ideas/etc. would be welcome. Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ perfect guest: One who makes his host feel at home. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message