[NTLUG:Discuss] RE: [NTLUG:Discuss]

Paul Ingendorf pauldy at wantek.net
Wed Sep 19 06:59:39 CDT 2001 

Here is the ipchains version.

#!/bin/bash
logfile="access_log"
for ip in `grep /scripts/\.\.\%c0\%af\.\./winnt/system32/cmd.exe\?/c\+dir $logfile | awk {print'$1'} | sort | uniq`
	do
		ipchains -D input -p 6 -s $ip/32 --destination-port 80 -j REJECT
		ipchains -A input -p 6 -s $ip/32 --destination-port 80 -j REJECT
	done

I just run these on the hour now via a cron job.

-- 
-->> mailto:pauldy at wantek.net
-->> http://www.wantek.net/
Running ....... Cos anything else would be a waste...
`:::'                  .......  ......
 :::  *                  `::.    ::'
 ::: .::  .:.::.  .:: .::  `::. :'
 :::  ::   ::  ::  ::  ::    :::.
 ::: .::. .::  ::.  `::::. .:'  ::.
.:::.....................::'   .::::..


-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
Of Daniel Hauck
Sent: Wednesday, September 19, 2001 6:40 AM
To: discuss at ntlug.org
Subject: Re: [NTLUG:Discuss] RE: [NTLUG:Discuss]


Could you show us the ipchains version of this code?

----- Original Message -----
From: "Paul Ingendorf" <pauldy at wantek.net>
To: <discuss at ntlug.org>
Sent: Wednesday, September 19, 2001 5:19 AM
Subject: [NTLUG:Discuss] RE: [NTLUG:Discuss]


> http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
>
> This is the one you want to look at.  Also for those of you running Linux
webservers just run something like the following.
>
> #!/bin/bash
> youraccesslog=access_log
> for ip in `grep /scripts/\.\.\%c0\%af\.\./winnt/system32/cmd.exe\?/c\+dir
$youraccesslog | awk {print'$1'} | sort | uniq`
> do
> iptables -D INPUT -p TCP -s $ip/32 --dport 80 -j REJECT
> iptables -A INPUT -p TCP -s $ip/32 --dport 80 -j REJECT
> done
>
> Assuming you don't have any other iptables installed like on that
explicitly accepts port 80 requests this should go through your log files
and deny access to the ips that are effected by the new Nimda worm.  Also
you might need to change the $1 to 2 or 3 or 4 if you have custom logs
setup.  The first line removes possible previous defs and the second adds
it.  This enables you to run the script multiple times and not fill your
iptables with junk without tracking whats in there already.  I ran it last
night around 7pm and haven't seen any of those requests since.  Also it
apparently crashes some Linux machines with frontpage utils installed.
>
> --
> -->> mailto:pauldy at wantek.net
> -->> http://www.wantek.net/
> Running ....... Cos anything else would be a waste...
> `:::'                  .......  ......
>  :::  *                  `::.    ::'
>  ::: .::  .:.::.  .:: .::  `::. :'
>  :::  ::   ::  ::  ::  ::    :::.
>  ::: .::. .::  ::.  `::::. .:'  ::.
> .:::.....................::'   .::::..
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list