mailing list archives
Blocking Nimda and kin
From: Brett Glass <brett () lariat org>
Date: Tue, 06 Nov 2001 19:43:56 -0700
Just thought the denizens of the Bugtraq list might be interested in a
quick fix for Apache which instantly blocks Nimda (all variants), Code
Red, sadmind/IIS, and kin. (I don't use IIS, but cobbled this up after
watching in annoyance as my Apache Web server logs blew up with endless
probes from the worms.)
To quickly blackhole the worms, just add the following to your logging
configuration in Apache's httpd.conf file. Note that this particular
version (written for FreeBSD) doesn't assume the presence of a firewall;
it installs a blackhole route to block the offending machine. It allows
the first SYN through, but disrupts the TCP three-way handshake so that
the session is never established. It's more efficient to firewall the
infected host either on the local machine or at the upstream router; to
do this, just change the last line.
# Flag requests for URIs containing known strings from
# Nimda-like worms (including Code Red, sadmind/IIS)
# Note that the patterns below are regexes; escape your dots!
SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda
SetEnvIf Request_URI "/scripts/root\.exe" nimda
SetEnvIf Request_URI "/MSADC/root\.exe" nimda
SetEnvIf Request_URI "/\.\." nimda
SetEnvIf Request_URI "\.\./" nimda
# Block attackers who send the patterns above (and get a 400 or 404 response)
# via the routing table. It's more efficient to firewall (the command
# will vary depending upon the firewall in use) or use SSH to add rules to
# an upstream firewall to block the attacker. If several commands must
# be executed, it may be best to invoke a script rather than doing
# all the work from within httpd.conf.
CustomLog "|exec sh" "route -nq add -host %400,404a 127.0.0.1 -blackhole"
- Blocking Nimda and kin Brett Glass (Nov 09)