[lug] Fending off nimda/codered probes. (fwd)

D. Stimits stimits at idcomm.com
Tue Sep 25 14:40:00 MDT 2001


"J. Wayde Allen" wrote:
> 
> ---------- Forwarded message ----------
> Date: Tue, 25 Sep 2001 11:16:09 -0600 (MDT)
> From: D.J. Atkinson <dj at pcisys.net>
> To: wallen at its.bldrdoc.gov
> Subject: Fending off nimda/codered probes.
> 
> Hi Wayde,
> 
> This came to me a bit ago and I thought you might want to share it with
> those on the BLUG list who are having/have had issues with DoS from
> nimda/codered probes.
> 
> Basically it suggests using redirects to make those probing look to
> themselves (127.0.0.1) for the files they're wanting.
> 
> I'm going to set some redirs up on my box.

One problem with redirects is that clients have to understand the
redirect. Unless the worm understands redirect, it won't look at itself.
Has anyone experimented with testing the ability to redirect a nimda
worm against itself?

D. Stimits, stimits at idcomm.com


> 
> DJ
> 
> --
>        o o o o o o o . . .                                  _______
>       o         _____ _____        ____________________ ____] D D [_||___
>    ._][__n__n___|DD[ [     \_____  |  D.J. Atkinson   | | dj at pcisys.net |
>   >(____________|__|_[___________]_|__________________|_|_______________|
>   _/oo OOOO OOOO oo` 'ooooo ooooo` 'o!o            o!o` 'o!o         o!o`
> -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-
> Visit my web page at http://www.pcisys.net/~dj
> 
> > -----Original Message-----
> > From: Fulton L. Preston Jr. [mailto:fulton at prestons.org]
> > Sent: Monday, September 24, 2001 7:01 PM
> > To: incidents at securityfocus.com
> > Subject: RE: Tracking down the still infected hosts
> >
> >
> > I implemented the methods below on my IIS and Apache servers and it
> > knocked all the local Nimda traffic dead in minutes. Nimda
> > traffic from
> > neighboring ISPs was way down within an hour.  Since I am on a cable
> > modem I can't control the rest of the network around me but this sure
> > did shut them noisy infected boxes up in a hurry :)
> >
> > The only ones still hitting me (though very slowly now) are
> > workstations
> > that don't have IIS running but are still infected via other
> > means.  The
> > boxes that are running IIS even stop responding to pings
> > after awhile so
> > I assume they die after awhile.
> >
> > It's stuff like this that makes the SecurityFocus mailing
> > lists so darn
> > useful!
> >
> >
> >
> > -----Original Message-----
> > From: Mike Lewinski [mailto:mike at rockynet.com]
> > Sent: Monday, September 24, 2001 12:29
> > To: incidents at securityfocus.com
> > Subject: Re: Tracking down the still infected hosts
> >
> >
> > > Anyone else doing anything to help this?
> >
> > I don't think that this has been posted here yet.... The following
> > appears
> > to cripple infected hosts and limits the damage they can cause. Others
> > who
> > have used this report that persistent infected hosts disappear from
> > their
> > logs shortly after applying this configuration change to their own
> > servers,
> > and that browsing an infected server after applying this results in
> > "HTTP
> > 403.9 - Access Forbidden: Too many users are connected"
> >
> > For Apache:
> > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> >
> >
> > For IIS:
> >
> > ----- Original Message -----
> > From: "Ron Hornbaker" <ron at hksi.net>
> > To: <imail at hksi.net>
> > Sent: Friday, September 21, 2001 1:11 PM
> > Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
> > [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
> >
> >
> > > Great tip, Len. Here's the IIS version... just create a file in your
> > web
> > > root called something like "Custom404.asp", with this content
> > (customize
> > > the friendly part as much as you wish):
> >
> > <%
> > 'Custom404.asp page to thwart Nimda DoS attacks on IIS
> > 'by Humankind Systems, Inc. http://hksi.net/
> > 'No support or guarantees of any kind are granted with this
> > 'code. Use at your own risk. Distribute freely.
> >
> > 'Get the entire URL requested
> > myRequest=Request.ServerVariables("QUERY_STRING")
> >
> > 'A list of filenames Nimda looks for
> > myBadList="cmd.exe,root.exe,admin.dll,default.ida"
> >
> > 'Detect a GET request from the Nimda virus and take appropriate action
> > arrBadString=Split(myBadList,",")
> > for i=0 to UBound(arrBadString)
> > if inStr(myRequest,arrBadString(i))>0 then
> > 'turn offending server back on itself
> > Response.redirect "http://127.0.0.1"
> > end if
> > next
> > %>
> > <html>
> > <head>
> > <title>Page Not Found</title>
> > </head>
> > <body>
> > Sorry, but that page was not found on our server.
> > <p>
> > Here is a link back to our <a href="/">Home Page</a>.
> > </body>
> > </html>
> >
> >
> >
> >
> > --------------------------------------------------------------
> > ----------
> > ----
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> >
> >
> > --------------------------------------------------------------
> > --------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list