You could use the hosts.deny file for this also, no? Best Regards, Allen
> -----Original Message----- > From: Emmanuel Valliet [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 18, 2001 8:09 PM > To: debian-security@lists.debian.org > Subject: Re: New IIS worm > > > (2001-09-18) Emmanuel Valliet sed : > > | > | I know we don't care on linux, but I have reallly a lot of hits from > | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. > | And it starts to make a lot of apache childs, and the global charge > | grows consequently. > | Is there a way to protect from that ? > | Using an apache configuration trick ? > | Or blacklisting and using some firewall rules behind ? > | If anyone knows how to do, or has already done the script that kicks > | these infected servers, it could interest me... > > Hum, doing a script that parse the logs and catch the bad servers was > easy. But I didn't realize that the infection could be that big and > quick. > > Euh.... can ipchains or iptables support some more 1500 denying rules > ? I don't think so... > > Anyway, it doesn't matter, my apache servers seem to survive the > "flood", I'm just happy to have big CPU and lot of mem. > > Just the script, if you want to count the worm hit on your box: > (really not a piece of art) > > #!/usr/bin/perl > > my %bannlist; > > while (<>) { > next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/; > $host=$1; > next if $bannlist{"$host"}; > $bannlist{"$host"}=1; > # system("/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www > -j DENY"); > print "Worm victim: $host\n"; > } > > > -- > VALLIET Emmanuel ! http://www.webmotion.com > Webmotion Inc. ! mailto:[EMAIL PROTECTED] > Oxymoron: Stuck in traffic. > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] >
