[NTLUG:Discuss] RE: [NTLUG:Discuss]
Paul Ingendorf
pauldy at wantek.net
Wed Sep 19 05:19:50 CDT 2001
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
This is the one you want to look at. Also for those of you running Linux webservers just run something like the following.
#!/bin/bash
youraccesslog=access_log
for ip in `grep /scripts/\.\.\%c0\%af\.\./winnt/system32/cmd.exe\?/c\+dir $youraccesslog | awk {print'$1'} | sort | uniq`
do
iptables -D INPUT -p TCP -s $ip/32 --dport 80 -j REJECT
iptables -A INPUT -p TCP -s $ip/32 --dport 80 -j REJECT
done
Assuming you don't have any other iptables installed like on that explicitly accepts port 80 requests this should go through your log files and deny access to the ips that are effected by the new Nimda worm. Also you might need to change the $1 to 2 or 3 or 4 if you have custom logs setup. The first line removes possible previous defs and the second adds it. This enables you to run the script multiple times and not fill your iptables with junk without tracking whats in there already. I ran it last night around 7pm and haven't seen any of those requests since. Also it apparently crashes some Linux machines with frontpage utils installed.
--
-->> mailto:pauldy at wantek.net
-->> http://www.wantek.net/
Running ....... Cos anything else would be a waste...
`:::' ....... ......
::: * `::. ::'
::: .:: .:.::. .:: .:: `::. :'
::: :: :: :: :: :: :::.
::: .::. .:: ::. `::::. .:' ::.
.:::.....................::' .::::..
More information about the Discuss
mailing list