[lug] Fending off nimda/codered probes. (fwd)

Justin glow at jackmoves.com
Wed Sep 26 08:30:13 MDT 2001 

I just want to clarify real quick on what exactly to put in your Apache 
httpd.conf (I'm totally unfamiliar with redirects). I looked at the 
Apache docs on redirects but just want to be sure. Do I add the line 
exactly as follows to my httpd.conf?

RedirectMatch (.*)\cmd.exe$ http://127.0.0.1

Thanks for any help...

Justin

> This is a thing of beauty! I put in the redirect at 1:30pm after 
seeing 
> about 10 hits/hour for Nimda requests, and since then there are no 
hits at 
> all from them.
> 
> But isn't this sort of a mask? The traffic is still showing up on my 
> network, going through my ip forwarding box, arriving at my Apache 
server, 
> and going back out, right? So what this is doing is (a) keeping my 
logs 
> small and more useful, and (b) possibly alerting the infected 
machine's 
> user if they happen to be at all aware which is doubtful. Now, (a) is 
a 
> Good Thing, but is this basically what's happening?
> 
> -Mike
> 
> At 02:40 PM 9/25/2001 -0600, D. Stimits wrote:
> >"J. Wayde Allen" wrote:
> > >
> > > ---------- Forwarded message ----------
> > > Date: Tue, 25 Sep 2001 11:16:09 -0600 (MDT)
> > > From: D.J. Atkinson <dj at pcisys.net>
> > > To: wallen at its.bldrdoc.gov
> > > Subject: Fending off nimda/codered probes.
> > >
> > > Hi Wayde,
> > >
> > > This came to me a bit ago and I thought you might want to share 
it with
> > > those on the BLUG list who are having/have had issues with DoS 
from
> > > nimda/codered probes.
> > >
> > > Basically it suggests using redirects to make those probing look 
to
> > > themselves (127.0.0.1) for the files they're wanting.
> > >
> > > I'm going to set some redirs up on my box.
> >
> >One problem with redirects is that clients have to understand the
> >redirect. Unless the worm understands redirect, it won't look at 
itself.
> >Has anyone experimented with testing the ability to redirect a nimda
> >worm against itself?
> >
> >D. Stimits, stimits at idcomm.com
> >
> >
> > >
> > > DJ
> > >
> > > --
> > >        o o o o o o o . . .                                  
_______
> > >       o         _____ _____        ____________________ ____] D D 
[_||___
> > >    ._][__n__n___|DD[ [     \_____  |  D.J. Atkinson   | | 
dj at pcisys.net |
> > >   >(____________|__|_[___________]
_|__________________|_|_______________|
> > >   _/oo OOOO OOOO oo` 'ooooo ooooo` 'o!o            o!o` 'o!
o         o!o`
> > > -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-
-+--+--+-
> > > Visit my web page at http://www.pcisys.net/~dj
> > >
> > > > -----Original Message-----
> > > > From: Fulton L. Preston Jr. [mailto:fulton at prestons.org]
> > > > Sent: Monday, September 24, 2001 7:01 PM
> > > > To: incidents at securityfocus.com
> > > > Subject: RE: Tracking down the still infected hosts
> > > >
> > > >
> > > > I implemented the methods below on my IIS and Apache servers 
and it
> > > > knocked all the local Nimda traffic dead in minutes. Nimda
> > > > traffic from
> > > > neighboring ISPs was way down within an hour.  Since I am on a 
cable
> > > > modem I can't control the rest of the network around me but 
this sure
> > > > did shut them noisy infected boxes up in a hurry :)
> > > >
> > > > The only ones still hitting me (though very slowly now) are
> > > > workstations
> > > > that don't have IIS running but are still infected via other
> > > > means.  The
> > > > boxes that are running IIS even stop responding to pings
> > > > after awhile so
> > > > I assume they die after awhile.
> > > >
> > > > It's stuff like this that makes the SecurityFocus mailing
> > > > lists so darn
> > > > useful!
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Mike Lewinski [mailto:mike at rockynet.com]
> > > > Sent: Monday, September 24, 2001 12:29
> > > > To: incidents at securityfocus.com
> > > > Subject: Re: Tracking down the still infected hosts
> > > >
> > > >
> > > > > Anyone else doing anything to help this?
> > > >
> > > > I don't think that this has been posted here yet.... The 
following
> > > > appears
> > > > to cripple infected hosts and limits the damage they can cause. 
Others
> > > > who
> > > > have used this report that persistent infected hosts disappear 
from
> > > > their
> > > > logs shortly after applying this configuration change to their 
own
> > > > servers,
> > > > and that browsing an infected server after applying this 
results in
> > > > "HTTP
> > > > 403.9 - Access Forbidden: Too many users are connected"
> > > >
> > > > For Apache:
> > > > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> > > >
> > > >
> > > > For IIS:
> > > >
> > > > ----- Original Message -----
> > > > From: "Ron Hornbaker" <ron at hksi.net>
> > > > To: <imail at hksi.net>
> > > > Sent: Friday, September 21, 2001 1:11 PM
> > > > Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was 
Fwd:
> > > > [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
> > > >
> > > >
> > > > > Great tip, Len. Here's the IIS version... just create a file 
in your
> > > > web
> > > > > root called something like "Custom404.asp", with this content
> > > > (customize
> > > > > the friendly part as much as you wish):
> > > >
> > > > <%
> > > > 'Custom404.asp page to thwart Nimda DoS attacks on IIS
> > > > 'by Humankind Systems, Inc. http://hksi.net/
> > > > 'No support or guarantees of any kind are granted with this
> > > > 'code. Use at your own risk. Distribute freely.
> > > >
> > > > 'Get the entire URL requested
> > > > myRequest=Request.ServerVariables("QUERY_STRING")
> > > >
> > > > 'A list of filenames Nimda looks for
> > > > myBadList="cmd.exe,root.exe,admin.dll,default.ida"
> > > >
> > > > 'Detect a GET request from the Nimda virus and take appropriate 
action
> > > > arrBadString=Split(myBadList,",")
> > > > for i=0 to UBound(arrBadString)
> > > > if inStr(myRequest,arrBadString(i))>0 then
> > > > 'turn offending server back on itself
> > > > Response.redirect "http://127.0.0.1"
> > > > end if
> > > > next
> > > > %>
> > > > <html>
> > > > <head>
> > > > <title>Page Not Found</title>
> > > > </head>
> > > > <body>
> > > > Sorry, but that page was not found on our server.
> > > > <p>
> > > > Here is a link back to our <a href="/">Home Page</a>.
> > > > </body>
> > > > </html>
> > > >
> > > >
> > > >
> > > >
> > > > --------------------------------------------------------------
> > > > ----------
> > > > ----
> > > > This list is provided by the SecurityFocus ARIS analyzer 
service.
> > > > For more information on this free incident handling, management
> > > > and tracking system please see: http://aris.securityfocus.com
> > > >
> > > >
> > > >
> > > > --------------------------------------------------------------
> > > > --------------
> > > > This list is provided by the SecurityFocus ARIS analyzer 
service.
> > > > For more information on this free incident handling, management
> > > > and tracking system please see: http://aris.securityfocus.com
> > > >
> > >
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> 
> Michael Deck
> Cleanroom Software Engineering, Inc.   
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> 

-----
glow at jackmoves.com
www.jackmoves.com

More information about the LUG mailing list