RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis updat e

From: John Coke (jcokeat_private)
Date: Wed Sep 19 2001 - 17:17:39 PDT

Next message: Roelof: "the better worm tutorial"

Previous message: Stanley G. Bubrouski: "Side Affect of the new worm: HD fills up"
Next in thread: John Coke: "RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis updat e"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Distributing the 404/403 error takes connections and bandwidth.  Adding the
following configuration to Apache will reduce the impact on the servers.  I
have been doing this for some time on the production servers that I manage.

AliasMatch ^/scripts(.*) "/www/bogus/index.html"
AliasMatch ^/.*(ida|htr|idc|htw) "/www/bogus/index.html"

Replace the second argument with the path to a zero-length index file (e.g.
touch /www/bogus/index.html). 

Just give you an idea of the savings:

With the "mitigation" configuration:
172.16.89.153 - - [19/Sep/2001:17:36:17 +0600] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 200 0
So, it transfers 0 bytes

Now without the "mitigation" config:
172.16.89.153 - - [19/Sep/2001:17:38:06 +0600] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 321
It transfers 321 bytes.

The above was tested with the standard Apache "404" error.

Now, on 15 production apache servers there are 6100 entries on the average
per server, 91500 entries.  With a 908 byte custom error document on our
production servers, that's 83MB. of data.  This starting sample date is
Sunday.  Note that this with 1 ip address per server.  The usage should
increase linearly as you add virtual IPs.    Now, I am not taking into
account the additional packet overhead which in accounting terms is a fixed
cost and would likewise apply to the "mitigation" configuration.

John Coke
PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846
PGP key ID 0x8F45E846 (pgp.mit.edu)

> -----Original Message-----
> From: George Milliken [mailto:gmillikenat_private]
> Sent: Wednesday, September 19, 2001 8:59 AM
> To: Incidentsat_private
> Subject: RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis
> update
> 
> 
> Maybe something like a rewrite rule
> 
> RewriteEngine	On
> RewriteRule	^.*/cmd.exe.*	[FL]
> RewriteRule	^.*/root.exe.*	[FL]
> 
> This will send "forbidden" to systems trying those URLs and will stop
> rewrite processing.
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Roelof: "the better worm tutorial"
Previous message: Stanley G. Bubrouski: "Side Affect of the new worm: HD fills up"
Next in thread: John Coke: "RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis updat e"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 17:18:19 PDT