Home page logo

bugtraq logo Bugtraq mailing list archives

Blocking Nimda and kin
From: Brett Glass <brett () lariat org>
Date: Tue, 06 Nov 2001 19:43:56 -0700

Just thought the denizens of the Bugtraq list might be interested in a quick fix for Apache which instantly blocks Nimda (all variants), Code Red, sadmind/IIS, and kin. (I don't use IIS, but cobbled this up after watching in annoyance as my Apache Web server logs blew up with endless probes from the worms.)

To quickly blackhole the worms, just add the following to your logging configuration in Apache's httpd.conf file. Note that this particular version (written for FreeBSD) doesn't assume the presence of a firewall; it installs a blackhole route to block the offending machine. It allows the first SYN through, but disrupts the TCP three-way handshake so that the session is never established. It's more efficient to firewall the infected host either on the local machine or at the upstream router; to do this, just change the last line.

--Brett Glass

# Flag requests for URIs containing known strings from
# Nimda-like worms (including Code Red, sadmind/IIS)
# Note that the patterns below are regexes; escape your dots!

SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda
SetEnvIf Request_URI "/scripts/root\.exe" nimda
SetEnvIf Request_URI "/MSADC/root\.exe" nimda
SetEnvIf Request_URI "/\.\." nimda
SetEnvIf Request_URI "\.\./" nimda

# Block attackers who send the patterns above (and get a 400 or 404 response)
# via the routing table. It's more efficient to firewall (the command
# will vary depending upon the firewall in use) or use SSH to add rules to
# an upstream firewall to block the attacker. If several commands must
# be executed, it may be best to invoke a script rather than doing
# all the work from within httpd.conf.

CustomLog "|exec sh" "route -nq add -host %400,404a -blackhole" env=nimda

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]