-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Once again, our friends in Redmond have made it possible to
propagate a trojan through their less-than-secure operating system and
applications. This, however, no longer affects just Windows machines, since
it is putting a tremendous load on routers and non-Windows machines as well.
As a result, the upstream provider that owns the wire which feeds
the following domains has taken it upon themselves to block port 80 and 8080
carte blanche, restricting all of the domains from connecting. I've made
adjustments on the server side which will allow you to continue to connect,
and use services from the machine. All other non-web services are
functioning normally and have not been affected by this "adjustment"
upstream.
{www|my|cvs|irc|news|mail|bugs|stats}.
sourcefubar.{com|net|org}
plkr.{com|net|org}
gnu-designs.{com|net|org}
pilot-link.{com|net|org}
You can still reach these domains and all of their subdomains by
appending a port definition of 8888 on the end, as follows:
http://www.plkr.org:8888/
http://bugs.pilot-link.org:8888/
http://projects.sourcefubar.net:8888/index.cgi/
...and so on. Please use this port as a temporary solution for
accessing these domains while the upstream provider attempts to fend off
this trojan from the attacking Windows machines. I would have implemented a
mod_rewrite Apache rule to automatically forward users to the proper port,
bu the original request would have had to come in on port 80, which is
blocked upstream, so that would not have worked.
Since 06:15:45 PDT, the network which hosts these domains has been
under attack from Windows machines propagating the code and jamming the
server with bogus requests for:
/scripts/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/MSADC/root.exe?/c+dir
..and so on, to the tune of about 2,000 requests per hour. More
detailed information on this trojan can be found at CERT:
http://www.cert.org/current/current_activity.html
I have managed to successfully block the attacking machines with
iptables, and at last count, we have successfully blocked a total of 285
unique hosts using the following script I hacked together (please feel free
to use for your own as well):
######################################
#
# Nimba and CodeRed Countermeasures
#
######################################
#!/bin/sh
# For whatever they're calling this one now
for LUSER in `grep "winnt" error.log | awk '{print $8}' | sed -e s/]//`; do
if [ ! "`/sbin/iptables -L -n | grep $LUSER`" ]; then
echo "Banning $LUSER with iptables";
/sbin/iptables -A INPUT -s $LUSER -d 0/0 -j DROP
fi
done
# For our friend CodeRed
for LUSER in `grep "default.ida" access.log | awk '{print $1}' | sed -e s/]//`; do
if [ ! "`/sbin/iptables -L -n | grep $LUSER`" ]; then
echo "Banning $LUSER with iptables";
/sbin/iptables -A INPUT -s $LUSER -d 0/0 -j DROP
fi
done
######################################
To quote a somewhat caustic, but relevant comment I saw today:
"Henceforth, all viruses, worms, and trojans will be referred to as a
Microsoft Outlook Virus or a Microsoft Office Virus. Written with Visual
Basic? Fine, it's a Microsoft Office Virus. Takes advantage of Outlook?
It's a Microsoft Outlook Virus. Yes that is inaccurate but that's not the
point. The point is to make sure everyone is aware of who wrote the
software that permitted their computer to crash, why the network borked,
and why they lost their files. It's because they insisted on using
Microsoft products."
I thought I got away from fighting Windows problems when I stopped
being surrounded by hardware which runs that OS. I guess I haven't yet.
Thanks for your patience, and please email me if you have any
questions, comments, troubles connecting, or just generally want to rant
around a bit about whatever.
- --------------------. pgp://7075AE4A ,-. pilot-link plucker
David A. Desrosiers \ ,---------------------' \ sourcefubar cvs
gnu-designs.com, Inc. `--' hacker at gnu-designs.com `-------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
iD8DBQE7p/SukRQERnB1rkoRAo33AKDAVwY+9xjl7ZHzud1dmctjsL5lCACgtwFE
CcvbJtPcgI8JjBh6pvMtB1g=
=N4yX
-----END PGP SIGNATURE-----
