Date: Thu, 27 Sep 2001 14:21:48 -0400 From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Apache server log Message-ID: <20010927142147.B15312@acadia.ne.mediaone.net> In-Reply-To: <005801c14769$73498220$49e9b5ce@quasi> References: <20010927152824.55499.qmail@web12501.mail.yahoo.com> <005801c14769$73498220$49e9b5ce@quasi>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/27/01 11:30 AM, Marius Kirschner sat at the `puter and typed: > Yep, that's Nimda, alright. Nothing you have to worry about if you run > a unix system. Correct. However, there's no reason you can't do something about it. You've heard of Apache::CodeRed? Well, it's a mod_perl handler. It handles the requests for default.ida by looking up the requesting IP and sending a warning to the web admin and abuse authorities as well as securityfocus.com. I've hacked Apache::CodeRed to create Apache::Nimda. No great effort really, the hard part is getting the correct <LocationMatch regex> expression. Reuven Lerner wrote Apache::CodeRed, and I've really only made one small improvement to send a message to the parent domain abuse address (an attack from acadia.ne.mediaone.net should result in a message to abuse@mediaone.net, not abuse@ne.mediaone.net). Otherwise, the LocationMatch expression is the real key. Here is the list of URLs I am seeing (sorry for the long lines): 1: http://acadia.ne.mediaone.net/scripts/root.exe?/c+dir 2: http://acadia.ne.mediaone.net/MSADC/root.exe?/c+dir 3: http://acadia.ne.mediaone.net/c/winnt/system32/cmd.exe?/c+dir 4: http://acadia.ne.mediaone.net/d/winnt/system32/cmd.exe?/c+dir 5: http://acadia.ne.mediaone.net/scripts/..%255c../winnt/system32/cmd.exe?/c+dir 6: http://acadia.ne.mediaone.net/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 7: http://acadia.ne.mediaone.net/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 8: http://acadia.ne.mediaone.net/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 9: http://acadia.ne.mediaone.net/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 10: http://acadia.ne.mediaone.net/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir 11: http://acadia.ne.mediaone.net/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 12: http://acadia.ne.mediaone.net/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 13: http://acadia.ne.mediaone.net/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 14: http://acadia.ne.mediaone.net/scripts/..%252f../winnt/system32/cmd.exe?/c+dir Here is the LocationMatch section I am using now: # Handle nimda attacks. <LocationMatch (cmd\.exe|root\.exe)> SetHandler perl-script PerlHandler Apache::Nimda </LocationMatch> It seems to miss one of the urls - #10, IIRC. I'm not as skilled with regexps as I would like to be, so I'm not sure how to include all of them yet. Still trying a couple things. As for where it is, I've notified the author of the original Apache::CodeRed module, for his feedback since I want to be sure I am giving proper credit where it is due. I have given him the URL to take a look at it, but the contacts at securityfocus have not been finalized. Right now, they are getting Nimda notices from me and probably wondering what the heck is going on. I would like to wait until I have the correct expression and some kind of feedback from the author, but I will likely release the module to the GP this weekend. Any feedback/ideas/etc. would be welcome. Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ perfect guest: One who makes his host feel at home. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010927142147.B15312>