Re: [Sheflug] w0rm/Hax0r Attack

["Chris J" <cej [at] xxxxxxxxxxxxxxxx>]

And Lo! The Great Prophet =?iso-8859-1?Q?Jos=E9_Luis_G=F3mez?= Dans uttered these words of wisdom:
>
>     A search on bugtrack et al. lists this as a IIS WebDAV bug (would
> you believe it? :D). However, it is having an impact on my server, as
> the requests (and I get loads of them) are filling the HD with useless
> logs! Any clues of how I can block this rubbish?  I still want to log
> other accesses.
> 

There was talk of using iptables to block these sort of worms when Nimda 
and CodeRed were on the loose, as apparently you can block packets based on 
the contents of the data payload of an IP packet, which could be useful :-)

It's also possible to retaliate to some extent with Apache; I used this 
config to send hack requests to an alternative log file:

	SetEnvIfNoCase Request_URI "cmd\.exe$" ms_crap
	SetEnvIfNoCase Request_URI "root\.exe$"   ms_crap
	SetEnvIfNoCase Request_URI "default\.ida$"   ms_crap
		.
		.
		.
	CustomLog   /usr/local/apache/logs/access_log common  env=!ms_crap
	CustomLog   /usr/local/apache/logs/referer_log referer   env=!ms_crap
	CustomLog   /usr/local/apache/logs/codered_log combined  env=ms_crap

The SetEnvIfNoCase set an environment variable within Apache if the URI 
matches the regular expression. In this case, it sets ms_crap. Then, using 
CustomLog, I send the requests to the appropriate log file :-)

You could just omit the last CustomLog entry (with the env=ms_crap) to just
drop all the log entries for that.

Chris...

-- 
\ Chris Johnson                 \ NP: Sneaky Bat Machine - 06. Exhume (A Lo
 \ cej [at] nightwolf.org.uk          \ ve Song) 
  \ http://cej.nightwolf.org.uk/  \ 
   \ http://redclaw.org.uk/        ~---------------------------------------



___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.