I thought this was worth sharing. Thanks Nate. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. On Tue, 18 Sep 2001, Jason Lewis wrote: > How about something that tails an apache log file and adds ipchains rules to > kill infected IP's? Anyone want to write it? I've added ".exe" next to ".cgi" in my httpd.conf. Then I created "root.exe" and "cmd.exe" symlinks to a suid perl script that adds an ipchains deny rule for $ENV{'REMOTE_ADDR'}. ########################################################################## #!/usr/bin/perl -w my $RemoteIP = $ENV{'REMOTE_ADDR'}; if ($RemoteIP =~ /^([0-9.]+)$/) { $RemoteIP = $1; # untainted } else { die "Bad data in RemoteIP: $RemoteIP"; } print <<EOF; Content-type: text/html This site not hacked by chinese. EOF $ENV{'PATH'} = '/bin:/usr/bin:/sbin'; my $Command = "/usr/local/sbin/ban $RemoteIP CodeBlue"; my $Result = `$Command`; ########################################################################## # this is /usr/local/sbin/ban, something I use for various honeypots /sbin/ipchains -I input -s $1 -j DENY -l echo `date` $1 $2 $3 $4 $5 >> /usr/local/etc/ipchains.deny ##### This is what my web site looks like if you access it by the IP address: $ dir IP total 8 lrwxrwxrwx 1 root root 8 Sep 18 10:21 MSADC -> honeypot lrwxrwxrwx 1 root root 9 Sep 18 10:31 _mem_bin -> honeypot/ lrwxrwxrwx 1 root root 8 Sep 18 10:21 c -> honeypot lrwxrwxrwx 1 root root 9 Sep 18 10:30 d -> honeypot/ lrwxrwxrwx 1 root root 10 Aug 6 13:46 default.ida -> index.html drwxr-xr-x 3 root root 4096 Sep 18 10:40 honeypot -rw-r--r-- 1 root root 101 Aug 6 02:25 index.html lrwxrwxrwx 1 root root 9 Sep 18 10:31 msadc -> honeypot/ lrwxrwxrwx 1 root root 8 Sep 18 10:21 scripts -> honeypot $ dir IP/honeypot total 8 -rwsr-sr-x 1 root root 373 Sep 18 11:35 ban.cgi lrwxrwxrwx 1 root root 7 Sep 18 10:33 home.cgi -> ban.cgi lrwxrwxrwx 1 root root 8 Sep 18 10:22 root.exe -> home.cgi drwxr-xr-x 3 root root 4096 Sep 18 10:36 winnt Hmmmm, I guess I should make the .ida extension executable and symlink default.ida to the ban script. Anyhow, I usually don't hear from an infected box more than once. Feel free to forward this to the list, but if you do, please DO NOT include my email address. I don't like the way the archives make everyone's addresses available to spammers. Kind of ironic behavior for a security organization, really. :-) Cheers, Nate Waddoups Redmond WA USA http://www.natew.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 19:56:35 PDT