[NTLUG:Discuss] RE: [NTLUG:Discuss]
Daniel Hauck
xdesign at hotmail.com
Wed Sep 19 06:40:16 CDT 2001
Could you show us the ipchains version of this code?
----- Original Message -----
From: "Paul Ingendorf" <pauldy at wantek.net>
To: <discuss at ntlug.org>
Sent: Wednesday, September 19, 2001 5:19 AM
Subject: [NTLUG:Discuss] RE: [NTLUG:Discuss]
> http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
>
> This is the one you want to look at. Also for those of you running Linux
webservers just run something like the following.
>
> #!/bin/bash
> youraccesslog=access_log
> for ip in `grep /scripts/\.\.\%c0\%af\.\./winnt/system32/cmd.exe\?/c\+dir
$youraccesslog | awk {print'$1'} | sort | uniq`
> do
> iptables -D INPUT -p TCP -s $ip/32 --dport 80 -j REJECT
> iptables -A INPUT -p TCP -s $ip/32 --dport 80 -j REJECT
> done
>
> Assuming you don't have any other iptables installed like on that
explicitly accepts port 80 requests this should go through your log files
and deny access to the ips that are effected by the new Nimda worm. Also
you might need to change the $1 to 2 or 3 or 4 if you have custom logs
setup. The first line removes possible previous defs and the second adds
it. This enables you to run the script multiple times and not fill your
iptables with junk without tracking whats in there already. I ran it last
night around 7pm and haven't seen any of those requests since. Also it
apparently crashes some Linux machines with frontpage utils installed.
>
> --
> -->> mailto:pauldy at wantek.net
> -->> http://www.wantek.net/
> Running ....... Cos anything else would be a waste...
> `:::' ....... ......
> ::: * `::. ::'
> ::: .:: .:.::. .:: .:: `::. :'
> ::: :: :: :: :: :: :::.
> ::: .::. .:: ::. `::::. .:' ::.
> .:::.....................::' .::::..
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list