On Wednesday 07 April 2004 10:59 pm, Mike Mestnik wrote: > There are too many, would you like a list? The rule you have dropes > pings. This won't stop ppl from trying to infect whole networks with > the virus, only stop some strains from trying. > > There is the string match in patch-o-matic fron netfilter.org. Thank you for the information.
This reference might be useful for anyone else trying to do this. http://www.linuxsecurity.com/feature_stories/feature_story-148.html I tried to stop the ping because everyone is reporting that the welchia worm pings to see if there is a machine there before sending the malicious packet to port 80. The rule allows normal pings - welchia apparently is unique with it's size of 92. Thanks again, Steve > > --- steve <[EMAIL PROTECTED]> wrote: > > I've been getting a lot of logging like below in my Apache logs from the > > > > Welchia webdav exploit. It's over 20MB since last Sunday and the > > activity > > has caused some denial of service. > > > > d53-129-180.nap.wideopenwest.com - - [07/Apr/2004:19:04:43 -0500] > > "SEARCH > > /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\...et >c. > > > I tried the following rule to drop the pings, but the worm is still > > trying to > > infect my webserver (it's 34,000 characters long). I didn't think the > > worm > > was supposed to send the overflow if the ping isn't responded to. > > > > /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m length > > --length > > 92 -j DROP > > > > The rule is from: > > http://support.imagestream.com/iptables_worm.html > > > > I don't think the invalid state would drop it, because it's a new > > packet. > > > > Does anyone know how to drop this traffic other than by ip (there are > > too > > many)? > > > > Thanks for any tips. > > Steve > > __________________________________ > Do you Yahoo!? > Yahoo! Small Business $15K Web Design Giveaway > http://promotions.yahoo.com/design_giveaway/
