Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Blocking Nimda and kin
From: Peter W <peterw () usa net>
Date: Thu, 8 Nov 2001 17:46:53 -0500

On Tue, Nov 06, 2001 at 07:43:56PM -0700, Brett Glass wrote:

Just thought the denizens of the Bugtraq list might be interested in a 
quick fix for Apache which instantly blocks Nimda (all variants), Code 
Red, sadmind/IIS, and kin.

To quickly blackhole the worms, just add the following to your logging 
configuration in Apache's httpd.conf file.

SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda

CustomLog "|exec sh" "route -nq add -host %400,404a -blackhole"  env=nimda

This is very cool stuff. So I can get someone to view an HTML page|email
with code like <img alt="" height="0" width="0" hspace="0" vspace="0"
src="http://brettglass.example.com/winnt/system32/cmd.exe";>, I can easily
prevent them, or anyone else coming from the same space, from reaching your
Web server. Get some AOL users to read the messages and bye-bye to all the
AOL proxy server traffic. Get lots of usenet "victims", and even if they
don't care about your Web site, man, your routing table suddenly looks bad.

Very (un)cool.


P.S. If that exec sh route thing actually works, does that mean your httpd 
is running as root? Or is "route" a SUID wrapper, so the httpd user only has 
the ability to wreck your routing table? Just curious.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]