> you could turn that into a script that either scans your logs for them,, > (see the archives, I have posted one) > > or you could get creative, and get apache to run .exe files as perl and put > the script where ever the infected servers are asking for cmd.exe and > root.exe files (the paths they are expecting are in your logs.) > > Then when a server requests the file, it blocks their IP address from > accessing your box.. > > it works great, I used the log scanning method and I have blocked over 5000 > IP's of IIS infected servers...
FYI... Here's a message sent recently from someone on the MDK security list. I have also written a script to scan the web logs and use my other script which bans the IP with ipchains/iptables. Thanks... Dan. ------------------------ Date: Thu, 04 Oct 2001 02:14:15 -0400 From: Nick Simicich <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [Security Discuss] Re: Apache update problems for 7.1/7.2 I got tired of the code blue morons filling up my logs with thousands and thousands of log entries. I considered what to do, log watcher, something else, but this seemed to be the lowest overhead possibility, and because it only takes one bit of info which is set up by the server, it seems safe. Yes. someone can block themselves from reaching my servers, and they will stay blocked for a few days. I wrote a setuid cgi that I translate all of the code blue URLs to, and it just tosses a rule into ipchains blocking the system from port 80. This works pretty well. It works better than a logwatcher because I can nail the infected system before the second probe, which eliminates tens of thousands of log entries. There is a special chain of systems blocked from port 80, and a special chain which just filters the initial syn to port 80. If anyone is interested, they can grab a copy here. http://majordomo.squawk.com/blockme.cgi.c It requires some support in http configuration and in ipchains (and could easily be adapted for ipfilters. The method of use is specified in the comments at the beginning of the program. Since the translation all happens in RewriteRules, it is entirely possible that these long ////// urls could also get translated out and blocked in the same manner. Yep, works fine.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com