2001-Sep-18
Read a posting about some strange network activity, so I looked at my Apache error logs:
[Tue Sep 18 09:31:42 2001] [error] [client 63.68.63.200] File does not exist: /home/p/pilchuck/public_html/scripts/..Áœ../winnt/system32/cmd.exe [Tue Sep 18 09:31:44 2001] [error] [client 63.68.63.200] File does not exist: /home/p/pilchuck/public_html/scripts/..%5c../winnt/system32/cmd.exe [Tue Sep 18 09:31:45 2001] [error] [client 63.68.63.200] File does not exist: /home/p/pilchuck/public_html/scripts/..%2f../winnt/system32/cmd.exeSo I setup some ipchains rules:
pilchuck:/home/r/reedmedia.net/public_html/misc# ipchains -A input -i eth0 -p tcp -s 63.145.0.0/255.255.0.0 --destination-port 80 -j DENY pilchuck:/home/r/reedmedia.net/public_html/misc# ipchains -L -n Chain input (policy ACCEPT): target prot opt source destination ports DENY tcp ------ 63.238.0.0/16 0.0.0.0/0 * -> 80 DENY tcp ------ 63.114.0.0/16 0.0.0.0/0 * -> 80 DENY tcp ------ 63.145.0.0/16 0.0.0.0/0 * -> 80You can test like:
pilchuck:/home/r/reedmedia.net/public_html/misc# ipchains -C input -s 63.145.242.2 32876 -d 0.0.0.0/0 80 -p tcp -i eth0 deniedIt looks like "scripts/root.exe" is the first file requested. Here is a one-line script I am using right now:
tail -n 1 -f /var/log/apache/error.log | perl -e 'while (<>) { if ($_ =~ /client (d+.d+.d+.d+)] File does not exist: .*scripts/root.exe/) { print "n$_"; system ("/sbin/ipchains -v -A input -i eth0 -p tcp -s $1/255.255.0.0 --destination-port 80 -j DENY");} } '
* blocking Nimda Worm (http)
tail -n 1 -f /var/log/apache/error_log | perl -e 'while (<>) {
if ($_ =~ /client (d+.d+.d+.d+)] File does not exist: .*scripts/root.exe/) {
print "n$_";
system ("/sbin/route add -net $1 -netmask 255.255.255.0 127.1 -blackhole");
} } '