If there something similar to the scripts below that could be implemented on a linux-based firewall? Reason I ask is that the windows server, within the firewall, is running SecureIIS. Rather than go through the process of changing SecureIIS settings for every site on the server, I'd rather block the Nimda traffic from even passing the firewall. Ryan McDonnell ryanat_private -----Original Message----- From: Fulton L. Preston Jr. [mailto:fultonat_private] Sent: Monday, September 24, 2001 7:01 PM To: incidentsat_private Subject: RE: Tracking down the still infected hosts I implemented the methods below on my IIS and Apache servers and it knocked all the local Nimda traffic dead in minutes. Nimda traffic from neighboring ISPs was way down within an hour. Since I am on a cable modem I can't control the rest of the network around me but this sure did shut them noisy infected boxes up in a hurry :) The only ones still hitting me (though very slowly now) are workstations that don't have IIS running but are still infected via other means. The boxes that are running IIS even stop responding to pings after awhile so I assume they die after awhile. It's stuff like this that makes the SecurityFocus mailing lists so darn useful! -----Original Message----- From: Mike Lewinski [mailto:mikeat_private] Sent: Monday, September 24, 2001 12:29 To: incidentsat_private Subject: Re: Tracking down the still infected hosts > Anyone else doing anything to help this? I don't think that this has been posted here yet.... The following appears to cripple infected hosts and limits the damage they can cause. Others who have used this report that persistent infected hosts disappear from their logs shortly after applying this configuration change to their own servers, and that browsing an infected server after applying this results in "HTTP 403.9 - Access Forbidden: Too many users are connected" For Apache: RedirectMatch (.*)\cmd.exe$ http://127.0.0.1 For IIS: ----- Original Message ----- From: "Ron Hornbaker" <ronat_private> To: <imailat_private> Sent: Friday, September 21, 2001 1:11 PM Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...) > Great tip, Len. Here's the IIS version... just create a file in your web > root called something like "Custom404.asp", with this content (customize > the friendly part as much as you wish): <% 'Custom404.asp page to thwart Nimda DoS attacks on IIS 'by Humankind Systems, Inc. http://hksi.net/ 'No support or guarantees of any kind are granted with this 'code. Use at your own risk. Distribute freely. 'Get the entire URL requested myRequest=Request.ServerVariables("QUERY_STRING") 'A list of filenames Nimda looks for myBadList="cmd.exe,root.exe,admin.dll,default.ida" 'Detect a GET request from the Nimda virus and take appropriate action arrBadString=Split(myBadList,",") for i=0 to UBound(arrBadString) if inStr(myRequest,arrBadString(i))>0 then 'turn offending server back on itself Response.redirect "http://127.0.0.1" end if next %> <html> <head> <title>Page Not Found</title> </head> <body> Sorry, but that page was not found on our server. <p> Here is a link back to our <a href="/">Home Page</a>. </body> </html> ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 08:05:35 PDT