[lug] Fending off nimda/codered probes. (fwd)
Michael Deck
deckm at cleansoft.com
Tue Sep 25 19:34:08 MDT 2001
This is a thing of beauty! I put in the redirect at 1:30pm after seeing
about 10 hits/hour for Nimda requests, and since then there are no hits at
all from them.
But isn't this sort of a mask? The traffic is still showing up on my
network, going through my ip forwarding box, arriving at my Apache server,
and going back out, right? So what this is doing is (a) keeping my logs
small and more useful, and (b) possibly alerting the infected machine's
user if they happen to be at all aware which is doubtful. Now, (a) is a
Good Thing, but is this basically what's happening?
-Mike
At 02:40 PM 9/25/2001 -0600, D. Stimits wrote:
>"J. Wayde Allen" wrote:
> >
> > ---------- Forwarded message ----------
> > Date: Tue, 25 Sep 2001 11:16:09 -0600 (MDT)
> > From: D.J. Atkinson <dj at pcisys.net>
> > To: wallen at its.bldrdoc.gov
> > Subject: Fending off nimda/codered probes.
> >
> > Hi Wayde,
> >
> > This came to me a bit ago and I thought you might want to share it with
> > those on the BLUG list who are having/have had issues with DoS from
> > nimda/codered probes.
> >
> > Basically it suggests using redirects to make those probing look to
> > themselves (127.0.0.1) for the files they're wanting.
> >
> > I'm going to set some redirs up on my box.
>
>One problem with redirects is that clients have to understand the
>redirect. Unless the worm understands redirect, it won't look at itself.
>Has anyone experimented with testing the ability to redirect a nimda
>worm against itself?
>
>D. Stimits, stimits at idcomm.com
>
>
> >
> > DJ
> >
> > --
> > o o o o o o o . . . _______
> > o _____ _____ ____________________ ____] D D [_||___
> > ._][__n__n___|DD[ [ \_____ | D.J. Atkinson | | dj at pcisys.net |
> > >(____________|__|_[___________]_|__________________|_|_______________|
> > _/oo OOOO OOOO oo` 'ooooo ooooo` 'o!o o!o` 'o!o o!o`
> > -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-
> > Visit my web page at http://www.pcisys.net/~dj
> >
> > > -----Original Message-----
> > > From: Fulton L. Preston Jr. [mailto:fulton at prestons.org]
> > > Sent: Monday, September 24, 2001 7:01 PM
> > > To: incidents at securityfocus.com
> > > Subject: RE: Tracking down the still infected hosts
> > >
> > >
> > > I implemented the methods below on my IIS and Apache servers and it
> > > knocked all the local Nimda traffic dead in minutes. Nimda
> > > traffic from
> > > neighboring ISPs was way down within an hour. Since I am on a cable
> > > modem I can't control the rest of the network around me but this sure
> > > did shut them noisy infected boxes up in a hurry :)
> > >
> > > The only ones still hitting me (though very slowly now) are
> > > workstations
> > > that don't have IIS running but are still infected via other
> > > means. The
> > > boxes that are running IIS even stop responding to pings
> > > after awhile so
> > > I assume they die after awhile.
> > >
> > > It's stuff like this that makes the SecurityFocus mailing
> > > lists so darn
> > > useful!
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Mike Lewinski [mailto:mike at rockynet.com]
> > > Sent: Monday, September 24, 2001 12:29
> > > To: incidents at securityfocus.com
> > > Subject: Re: Tracking down the still infected hosts
> > >
> > >
> > > > Anyone else doing anything to help this?
> > >
> > > I don't think that this has been posted here yet.... The following
> > > appears
> > > to cripple infected hosts and limits the damage they can cause. Others
> > > who
> > > have used this report that persistent infected hosts disappear from
> > > their
> > > logs shortly after applying this configuration change to their own
> > > servers,
> > > and that browsing an infected server after applying this results in
> > > "HTTP
> > > 403.9 - Access Forbidden: Too many users are connected"
> > >
> > > For Apache:
> > > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> > >
> > >
> > > For IIS:
> > >
> > > ----- Original Message -----
> > > From: "Ron Hornbaker" <ron at hksi.net>
> > > To: <imail at hksi.net>
> > > Sent: Friday, September 21, 2001 1:11 PM
> > > Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
> > > [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
> > >
> > >
> > > > Great tip, Len. Here's the IIS version... just create a file in your
> > > web
> > > > root called something like "Custom404.asp", with this content
> > > (customize
> > > > the friendly part as much as you wish):
> > >
> > > <%
> > > 'Custom404.asp page to thwart Nimda DoS attacks on IIS
> > > 'by Humankind Systems, Inc. http://hksi.net/
> > > 'No support or guarantees of any kind are granted with this
> > > 'code. Use at your own risk. Distribute freely.
> > >
> > > 'Get the entire URL requested
> > > myRequest=Request.ServerVariables("QUERY_STRING")
> > >
> > > 'A list of filenames Nimda looks for
> > > myBadList="cmd.exe,root.exe,admin.dll,default.ida"
> > >
> > > 'Detect a GET request from the Nimda virus and take appropriate action
> > > arrBadString=Split(myBadList,",")
> > > for i=0 to UBound(arrBadString)
> > > if inStr(myRequest,arrBadString(i))>0 then
> > > 'turn offending server back on itself
> > > Response.redirect "http://127.0.0.1"
> > > end if
> > > next
> > > %>
> > > <html>
> > > <head>
> > > <title>Page Not Found</title>
> > > </head>
> > > <body>
> > > Sorry, but that page was not found on our server.
> > > <p>
> > > Here is a link back to our <a href="/">Home Page</a>.
> > > </body>
> > > </html>
> > >
> > >
> > >
> > >
> > > --------------------------------------------------------------
> > > ----------
> > > ----
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> > >
> > >
> > >
> > > --------------------------------------------------------------
> > > --------------
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> > >
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Michael Deck
Cleanroom Software Engineering, Inc.
More information about the LUG
mailing list