mailing list archives
Re: Blocking Nimda and kin
From: Peter W <peterw () usa net>
Date: Thu, 8 Nov 2001 17:46:53 -0500
On Tue, Nov 06, 2001 at 07:43:56PM -0700, Brett Glass wrote:
Just thought the denizens of the Bugtraq list might be interested in a
quick fix for Apache which instantly blocks Nimda (all variants), Code
Red, sadmind/IIS, and kin.
To quickly blackhole the worms, just add the following to your logging
configuration in Apache's httpd.conf file.
SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda
CustomLog "|exec sh" "route -nq add -host %400,404a 127.0.0.1 -blackhole" env=nimda
This is very cool stuff. So I can get someone to view an HTML page|email
with code like <img alt="" height="0" width="0" hspace="0" vspace="0"
src="http://brettglass.example.com/winnt/system32/cmd.exe">, I can easily
prevent them, or anyone else coming from the same space, from reaching your
Web server. Get some AOL users to read the messages and bye-bye to all the
AOL proxy server traffic. Get lots of usenet "victims", and even if they
don't care about your Web site, man, your routing table suddenly looks bad.
P.S. If that exec sh route thing actually works, does that mean your httpd
is running as root? Or is "route" a SUID wrapper, so the httpd user only has
the ability to wreck your routing table? Just curious.