Re: MSIISProbes.pm v1.03

2001-10-01 Thread Mike Schienle 


On Friday, September 28, 2001, at 08:49 AM, Nick Tonkin wrote:

 On Fri, 28 Sep 2001, Ask Bjoern Hansen wrote:

 On Thu, 20 Sep 2001, Mike Schienle wrote:

 thanks to patches from Brice D. Ruth and others, a new version of
 MSIISProbes.pm is available at
 http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz

 Hi all -

 Can anyone provide a couple hints on getting this going with Tenon's
 iTools on MacOS X? For Reuven's CodeRed, it was just a matter of 
 putting
 CodeRed.pm in /Library/Perl and adding the following code to the
 iTools.conf file (equivalent to httpd.conf).
 [...]
 Any suggestions are greatly appreciated.

 check the code and your system configuration for the location of
 sendmail (or whatever the module uses to send mail).

 MSIISProbes.pm use Mail::Sendmail to send mail ...

 Cache::FileCache defaults to using /tmp for the location of its
 cache; does the system have /tmp (not sure what Cache::FileCache does if
 there's no /tmp, hafta look at the code).

There is indeed a /tmp for MacOS X. Also, someone else on the list has 
been able to get it working without any problems, so it's probably 
something peculiar to my situation. I'm going to upgrade to version 10.1 
of MacOS X and try again later today.

Is there some kind of test file that can do a simple pass through and 
see if everything is in place? I've run apachectl configtest and it was 
happy. Also, any chance of adding MSIISProbes to CPAN?

Mike Schienle
Interactive Visuals, Inc.
http://www.ivsoftware.com

Re: MSIISProbes.pm v1.03

2001-09-28 Thread DeWitt Clinton 

On Fri, Sep 28, 2001 at 08:49:22AM -0700, Nick Tonkin wrote:

 Cache::FileCache defaults to using /tmp for the location of its
 cache; does the system have /tmp (not sure what Cache::FileCache does if
 there's no /tmp, hafta look at the code).

You can manually override the temp directory by setting the
'cache_root' option when instantiating the cache.  If cache_root isn't
set, then File::Spec's tmpdir( ) routine will be called, which seems
to return a value on just about all the machines I've tested (judging
by the lack of temp directory bug reports).

Cheers,

-DeWitt

Re: MSIISProbes.pm v1.03

2001-09-28 Thread Ask Bjoern Hansen 

On Thu, 20 Sep 2001, Mike Schienle wrote:

  thanks to patches from Brice D. Ruth and others, a new version of
  MSIISProbes.pm is available at
  http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz

 Hi all -

 Can anyone provide a couple hints on getting this going with Tenon's
 iTools on MacOS X? For Reuven's CodeRed, it was just a matter of putting
 CodeRed.pm in /Library/Perl and adding the following code to the
 iTools.conf file (equivalent to httpd.conf).
[...]
 Any suggestions are greatly appreciated.

check the code and your system configuration for the location of
sendmail (or whatever the module uses to send mail).


 - ask

-- 
ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
more than a billion impressions per week, http://valueclick.com

Re: MSIISProbes.pm v1.03

2001-09-28 Thread Nick Tonkin 

On Fri, 28 Sep 2001, Ask Bjoern Hansen wrote:

 On Thu, 20 Sep 2001, Mike Schienle wrote:
 
   thanks to patches from Brice D. Ruth and others, a new version of
   MSIISProbes.pm is available at
   http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz
 
  Hi all -
 
  Can anyone provide a couple hints on getting this going with Tenon's
  iTools on MacOS X? For Reuven's CodeRed, it was just a matter of putting
  CodeRed.pm in /Library/Perl and adding the following code to the
  iTools.conf file (equivalent to httpd.conf).
 [...]
  Any suggestions are greatly appreciated.
 
 check the code and your system configuration for the location of
 sendmail (or whatever the module uses to send mail).

MSIISProbes.pm use Mail::Sendmail to send mail ...

Cache::FileCache defaults to using /tmp for the location of its
cache; does the system have /tmp (not sure what Cache::FileCache does if
there's no /tmp, hafta look at the code).


- Nick

[Announce] MSIISProbes.pm v1.03

2001-09-20 Thread Nick Tonkin 


Hello,

thanks to patches from Brice D. Ruth and others, a new version of
MSIISProbes.pm is available at
http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz

Changes:
  v1.03 Added code to get e-mail for the SOA of the host (Brice D. Ruth)
Cut the DNS Resolver's timeout to 20 seconds

  v1.02 Moved the URL for info for each worm into PerlSetVar in httpd.conf


comments/flames welcome

--nick


~~~
Nick Tonkin

Re: [Announce] MSIISProbes.pm v1.03

2001-09-20 Thread Paul DuBois 

Hello,

thanks to patches from Brice D. Ruth and others, a new version of
MSIISProbes.pm is available at
http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz

Changes:
   v1.03   Added code to get e-mail for the SOA of the host 
(Brice D. Ruth)
   Cut the DNS Resolver's timeout to 20 seconds

   v1.02   Moved the URL for info for each worm into PerlSetVar 
in httpd.conf


comments/flames welcome

No flames, I like it.  Is there a way to send a request to the module
to have it generate a report on the contents of the cache?


--nick


~~~
Nick Tonkin

Re: [Announce] MSIISProbes.pm v1.03

2001-09-20 Thread Jan Jungnickel 

Hallo,

 thanks to patches from Brice D. Ruth and others, a new version of
 MSIISProbes.pm is available at
 http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz

 Changes:
   v1.03  Added code to get e-mail for the SOA of the host
 (Brice D. Ruth)
  Cut the DNS Resolver's timeout to 20 seconds

   v1.02  Moved the URL for info for each worm into PerlSetVar
 in httpd.conf

If you like, you you add code to report infected Hosts to our
Nimda-Database? You can find further informations on
http://worm.jungnickel.com
-- 
Greetings, Jan Jungnickel

Re: [Announce] MSIISProbes.pm v1.03

2001-09-20 Thread Nick Tonkin 


Hi Jan,

I'm afraid that might just gum up the bandwidth even more than these
idiots (and our flame mail to them :) ... 

thanks for the support, though!


~~~
Nick Tonkin

On Thu, 20 Sep 2001, Jan Jungnickel wrote:

 Hallo,
 
  thanks to patches from Brice D. Ruth and others, a new version of
  MSIISProbes.pm is available at
  http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz
 
  Changes:
v1.03Added code to get e-mail for the SOA of the host
  (Brice D. Ruth)
 Cut the DNS Resolver's timeout to 20 seconds
 
v1.02Moved the URL for info for each worm into PerlSetVar
  in httpd.conf
 
 If you like, you you add code to report infected Hosts to our
 Nimda-Database? You can find further informations on
 http://worm.jungnickel.com
 -- 
 Greetings, Jan Jungnickel

Re: MSIISProbes.pm v1.03

2001-09-20 Thread Mike Schienle 


On Thursday, September 20, 2001, at 09:41 AM, Nick Tonkin wrote:


 Hello,

 thanks to patches from Brice D. Ruth and others, a new version of
 MSIISProbes.pm is available at
 http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz

Hi all -

Can anyone provide a couple hints on getting this going with Tenon's 
iTools on MacOS X? For Reuven's CodeRed, it was just a matter of putting 
CodeRed.pm in /Library/Perl and adding the following code to the 
iTools.conf file (equivalent to httpd.conf).

#   added 08/06/01
PerlModule  CodeRed
Location /default.ida
SetHandler perl-script
PerlHandler CodeRed
/Location

I've since commented out the above lines. I've added MSIISProbes.pm to 
/Library/Perl and also tried it at /Library/Perl/Apache, with no effect. 
I restarted Apache after each change of code and/or location. There 
doesn't appear to be any output (nothing relevant in the logs and no 
email).

#   added 09/20/01
Location /default.ida
SetHandler perl-script
PerlHandler Apache::MSIISProbes
PerlSetVar worm_name CodeRed
PerlSetVar worm_url 
http://www.microsoft.com/technet/itsolutions/security/topics/codealrt.asp
/Location

RewriteCond %{REQUEST_URI} !nimda
RewriteCond %{QUERY_STRING} /c.dir
RewriteRule .* /nimda? [R,L]

LocationMatch /nimda*
SetHandler perl-script
PerlHandler NPT::MSIISProbes
PerlSetVar worm_name Nimda
PerlSetVar worm_url 
http://www.microsoft.com/technet/security/topics/Nimda.asp
/LocationMatch

Any suggestions are greatly appreciated.

Mike Schienle
Interactive Visuals, Inc.
http://www.ivsoftware.com

NIMDA worm; MSIISProbes.pm

2001-09-19 Thread Nick Tonkin 


Hello,

Now that Micro$oft has finally put out some information about their
latest trick I have posted a new version of MSIISProbes.pm.

Version 1.02 changes include putting the URL to a page containing info
about each worm into a PerlSetVar ... this means that once you have
configured MSIISProbes.pm with your e-mail and cacheing preferences, you
can add traps for new worms as Micro$oft releases them, er, discovers
them.

Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz

More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html

Comments/flames welcome.

- nick


~~~
Nick Tonkin

Re: NIMDA worm; MSIISProbes.pm

2001-09-19 Thread Bruce Albrecht 

Nick Tonkin writes:
  Now that Micro$oft has finally put out some information about their
  latest trick I have posted a new version of MSIISProbes.pm.
  
  Version 1.02 changes include putting the URL to a page containing info
  about each worm into a PerlSetVar ... this means that once you have
  configured MSIISProbes.pm with your e-mail and cacheing preferences, you
  can add traps for new worms as Micro$oft releases them, er, discovers
  them.
  
  Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz
  
  More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html
 
I was looking at your Apache::MSIISProbes module, and I didn't
understand the part about the nimda rewrite rules, mostly because I
haven't used the rewrite rules.  Do the following rules

RewriteCond %{REQUEST_URI} !nimda
RewriteCond %{QUERY_STRING} /c.dir
RewriteRule .* /nimda? [R,L]

mean unless I've already rewritten the rule, if the query string matches
c.dir (i.e., will match c+dir found in most of the requests), rewrite
the request as /nimda?  From my observation, nimbda also tries c+tftp
and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and
/MSADC/Admin.dll.  Could I change the rewrite rules to 

RewriteCond %{REQUEST_URI} !nimda 
RewriteCond %{QUERY_STRING} /c.(tftp|dir)
RewriteRule .* /nimda? [R,L] 

to catch either request, and then do
RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll
RewriteRule .* /nimda? [R,L]
to catch the others?


Thanks.

Re: NIMDA worm; MSIISProbes.pm

2001-09-19 Thread Nick Tonkin 


On Wed, 19 Sep 2001, Bruce Albrecht wrote:

 I was looking at your Apache::MSIISProbes module, and I didn't
 understand the part about the nimda rewrite rules, mostly because I
 haven't used the rewrite rules.  Do the following rules
 
   RewriteCond %{REQUEST_URI} !nimda
   RewriteCond %{QUERY_STRING} /c.dir
   RewriteRule .* /nimda? [R,L]
 
 mean unless I've already rewritten the rule, if the query string matches
 c.dir (i.e., will match c+dir found in most of the requests), rewrite
 the request as /nimda? 

right.

 From my observation, nimbda also tries c+tftp
 and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and
 /MSADC/Admin.dll.  Could I change the rewrite rules to 
 
 RewriteCond %{REQUEST_URI} !nimda 
 RewriteCond %{QUERY_STRING} /c.(tftp|dir)
 RewriteRule .* /nimda? [R,L] 
 
 to catch either request, and then do
 RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll
 RewriteRule .* /nimda? [R,L]
 to catch the others?
 

Well, the rules you put forward seem fine, but I'm not sure you'll catch
everything ... 

BTW the '?' on the end is to remove the query string ... if you leave it
off mod_rewrite puts the original one back.

- nick

MSIISProbes.pm

2001-09-18 Thread Nick Tonkin 
# the webmaster and/or postmaster addresses often doesn't work
my $remote_webmaster_address = webmaster\@$mx_host, postmaster\@$mx_host, 
administrator\@$mx_host;

# Set the outgoing message
my $outgoing_message = EOT;

Your Microsoft IIS server (at $remote_ip_address) appears to have been
infected with the $worm_name worm.  It attempted to spread to
our Web server, despite the fact that we run Apache, which is immune.

This was attempt number $count from the server at $remote_ip_address
to infect our server. You should immediately view the latest information
and download any available security patches, from
$security_url{$worm_name}.

Automatically generated by Apache::MSIISProbes version $VERSION for
mod_perl and Apache running on $server_name. Information at $module_url.
EOT

# 
# Also send e-mail to the people running the offending host,
# just in case SecurityFocus takes a while.

$DEBUG  1  $r-warn(MSIISProbes: Sending e-mail to 
[$remote_webmaster_address]);

my %mail = (
To  = $remote_webmaster_address,
CC  = $cc_address,
From= $from_address,
Subject = $worm_name infection on [$remote_hostname]: Automatic 
report,
Message = $outgoing_message
  );

my $sendmail_success = sendmail(%mail);

if ($sendmail_success) {
return FORBIDDEN;
} else {
$DEBUG  1  $r-warn(MSIISProbes: Mail::Sendmail returned 
[$Mail::Sendmail::error]. Exiting.);
return DECLINED;
}
}

# All modules must return a true value
1;

__END__

=pod

=head1 NAME

Apache::MSIISProbes - Responds to worm attacks on Microsoft
Internet Information Servers with e-mail warnings.

=head1 SYNOPSIS

In your httpd.conf, put something similar to the following:

Location /default.ida
SetHandler perl-script
PerlHandler Apache::MSIISProbes
PerlSetVar worm_name CodeRed
/Location

=head1 DESCRIPTION

This Perl module should be invoked whenever the worms it
knows about attack. We don't have to worry about such
attacks on non-Windows boxes, but we can be good Internet
citizens, warning the webmasters on infected machines of the
problem and how to solve it.

The module allows the user to add new configuration
directives as new worms are discovered.

=head1 USAGE

In your httpd.conf, put directives similar to the following:

Location /default.ida
SetHandler perl-script
PerlHandler Apache::MSIISProbes
PerlSetVar worm_name CodeRed
/Location

RewriteCond %{REQUEST_URI} !nimda
RewriteCond %{QUERY_STRING} /c.dir
RewriteRule .* /nimda? [R,L]

LocationMatch /nimda*
SetHandler perl-script
PerlHandler NPT::MSIISProbes
PerlSetVar worm_name Nimda
/LocationMatch

BDuplicates

Although rumor has it that CodeRed and other similar worms
only attack a given IP once from a given host, experience
shows this to be false. You can control the behavior of
MSIISProbes.pm when it encounters a second or subsequent
attempt from a given IP address. By default MSIISProbes.pm
keeps a cache of IP addresses from which an attempt has
originated, counting attempts per worm from the IP and
including the count in each message it mails.

You can override this behavior and send a message only the
first time a given host attempts to spread the worm in a given
period by setting the variable $store to a false value. This
will cause the cache to be cleared at a given interval (by
default, one day). Mail alerts to the IIS server's
administrators will be sent only once per cache period.

=head1 BUGS

If the remote IP address fails a reverse DNS lookup, we don't
send e-mail to anyone associated with that host.  (We do,
however, submit the IP address to SecurityFocus.)  It would be
nice to automatically determine which ISP is responsible for a
particular IP address, and contact them automatically.

=head1 LICENSE

You may distribute this module under the same license as Perl itself.

=head1 AUTHOR

Author, current version: Nick Tonkin, [EMAIL PROTECTED]

Original author: Reuven M. Lerner, [EMAIL PROTECTED]

Thanks to Randal Schwartz, David Young, and Salve J. Nilsen for
their suggestions.

=head1 SEE ALSO

Lmod_perl.

=cut


~~~
Nick Tonkin

Re: MSIISProbes.pm

2001-09-18 Thread Nick Tonkin 



On Tue, 18 Sep 2001, Emad Fanous wrote:

 any reason why the private address spaces between
 172.16.0.0-172.31.255.255 wasn't in your list of ignored
 ips?
 
 Thanks
 Emad


That came from the original author's CodeRed.pm. But it's considered a
configurable variable.

~~~
Nick Tonkin

Re: MSIISProbes.pm

2001-09-18 Thread Ask Bjoern Hansen 

On Tue, 18 Sep 2001, Nick Tonkin wrote:

 I used a real ugly mod_rewrite hack to grab the requests (I didn't want to
 lump all reqs for root.exe or cmd.exe into the same 'worm') ... I'm sure
 others can improve on that. (BTW am I right in thinking that RewriteEngine
 on needs to be specified for each virtual host?)

Yes,

RewriteEngine on
RewriteRule ...
[...]

virtualhost ...
  [...]
  RewriteEngine on
  RewriteOptions inherit
/virtualhost

or something like that for each VirtualHost is your friend.

:-)

-- 
ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
more than a billion impressions per week, http://valueclick.com

Re: MSIISProbes.pm

2001-09-18 Thread Nick Tonkin 


On Tue, 18 Sep 2001, Ask Bjoern Hansen wrote:

 On Tue, 18 Sep 2001, Nick Tonkin wrote:
 
  I used a real ugly mod_rewrite hack to grab the requests (I didn't want to
  lump all reqs for root.exe or cmd.exe into the same 'worm') ... I'm sure
  others can improve on that. (BTW am I right in thinking that RewriteEngine
  on needs to be specified for each virtual host?)
 
 Yes,
 
 RewriteEngine on
 RewriteRule ...
 [...]
 
 virtualhost ...
   [...]
   RewriteEngine on
   RewriteOptions inherit
 /virtualhost
 
 or something like that for each VirtualHost is your friend.
 
 :-)

Well, yeah, I figgered that out :) But it should inherit, sez I.

-nick

 
 -- 
 ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
 more than a billion impressions per week, http://valueclick.com