Re: MSIISProbes.pm v1.03
On Friday, September 28, 2001, at 08:49 AM, Nick Tonkin wrote: On Fri, 28 Sep 2001, Ask Bjoern Hansen wrote: On Thu, 20 Sep 2001, Mike Schienle wrote: thanks to patches from Brice D. Ruth and others, a new version of MSIISProbes.pm is available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz Hi all - Can anyone provide a couple hints on getting this going with Tenon's iTools on MacOS X? For Reuven's CodeRed, it was just a matter of putting CodeRed.pm in /Library/Perl and adding the following code to the iTools.conf file (equivalent to httpd.conf). [...] Any suggestions are greatly appreciated. check the code and your system configuration for the location of sendmail (or whatever the module uses to send mail). MSIISProbes.pm use Mail::Sendmail to send mail ... Cache::FileCache defaults to using /tmp for the location of its cache; does the system have /tmp (not sure what Cache::FileCache does if there's no /tmp, hafta look at the code). There is indeed a /tmp for MacOS X. Also, someone else on the list has been able to get it working without any problems, so it's probably something peculiar to my situation. I'm going to upgrade to version 10.1 of MacOS X and try again later today. Is there some kind of test file that can do a simple pass through and see if everything is in place? I've run apachectl configtest and it was happy. Also, any chance of adding MSIISProbes to CPAN? Mike Schienle Interactive Visuals, Inc. http://www.ivsoftware.com
Re: MSIISProbes.pm v1.03
On Fri, Sep 28, 2001 at 08:49:22AM -0700, Nick Tonkin wrote: Cache::FileCache defaults to using /tmp for the location of its cache; does the system have /tmp (not sure what Cache::FileCache does if there's no /tmp, hafta look at the code). You can manually override the temp directory by setting the 'cache_root' option when instantiating the cache. If cache_root isn't set, then File::Spec's tmpdir( ) routine will be called, which seems to return a value on just about all the machines I've tested (judging by the lack of temp directory bug reports). Cheers, -DeWitt
Re: MSIISProbes.pm v1.03
On Thu, 20 Sep 2001, Mike Schienle wrote: thanks to patches from Brice D. Ruth and others, a new version of MSIISProbes.pm is available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz Hi all - Can anyone provide a couple hints on getting this going with Tenon's iTools on MacOS X? For Reuven's CodeRed, it was just a matter of putting CodeRed.pm in /Library/Perl and adding the following code to the iTools.conf file (equivalent to httpd.conf). [...] Any suggestions are greatly appreciated. check the code and your system configuration for the location of sendmail (or whatever the module uses to send mail). - ask -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); more than a billion impressions per week, http://valueclick.com
Re: MSIISProbes.pm v1.03
On Fri, 28 Sep 2001, Ask Bjoern Hansen wrote: On Thu, 20 Sep 2001, Mike Schienle wrote: thanks to patches from Brice D. Ruth and others, a new version of MSIISProbes.pm is available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz Hi all - Can anyone provide a couple hints on getting this going with Tenon's iTools on MacOS X? For Reuven's CodeRed, it was just a matter of putting CodeRed.pm in /Library/Perl and adding the following code to the iTools.conf file (equivalent to httpd.conf). [...] Any suggestions are greatly appreciated. check the code and your system configuration for the location of sendmail (or whatever the module uses to send mail). MSIISProbes.pm use Mail::Sendmail to send mail ... Cache::FileCache defaults to using /tmp for the location of its cache; does the system have /tmp (not sure what Cache::FileCache does if there's no /tmp, hafta look at the code). - Nick
[Announce] MSIISProbes.pm v1.03
Hello, thanks to patches from Brice D. Ruth and others, a new version of MSIISProbes.pm is available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz Changes: v1.03 Added code to get e-mail for the SOA of the host (Brice D. Ruth) Cut the DNS Resolver's timeout to 20 seconds v1.02 Moved the URL for info for each worm into PerlSetVar in httpd.conf comments/flames welcome --nick ~~~ Nick Tonkin
Re: [Announce] MSIISProbes.pm v1.03
Hello, thanks to patches from Brice D. Ruth and others, a new version of MSIISProbes.pm is available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz Changes: v1.03 Added code to get e-mail for the SOA of the host (Brice D. Ruth) Cut the DNS Resolver's timeout to 20 seconds v1.02 Moved the URL for info for each worm into PerlSetVar in httpd.conf comments/flames welcome No flames, I like it. Is there a way to send a request to the module to have it generate a report on the contents of the cache? --nick ~~~ Nick Tonkin
Re: [Announce] MSIISProbes.pm v1.03
Hallo, thanks to patches from Brice D. Ruth and others, a new version of MSIISProbes.pm is available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz Changes: v1.03 Added code to get e-mail for the SOA of the host (Brice D. Ruth) Cut the DNS Resolver's timeout to 20 seconds v1.02 Moved the URL for info for each worm into PerlSetVar in httpd.conf If you like, you you add code to report infected Hosts to our Nimda-Database? You can find further informations on http://worm.jungnickel.com -- Greetings, Jan Jungnickel
Re: [Announce] MSIISProbes.pm v1.03
Hi Jan, I'm afraid that might just gum up the bandwidth even more than these idiots (and our flame mail to them :) ... thanks for the support, though! ~~~ Nick Tonkin On Thu, 20 Sep 2001, Jan Jungnickel wrote: Hallo, thanks to patches from Brice D. Ruth and others, a new version of MSIISProbes.pm is available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz Changes: v1.03Added code to get e-mail for the SOA of the host (Brice D. Ruth) Cut the DNS Resolver's timeout to 20 seconds v1.02Moved the URL for info for each worm into PerlSetVar in httpd.conf If you like, you you add code to report infected Hosts to our Nimda-Database? You can find further informations on http://worm.jungnickel.com -- Greetings, Jan Jungnickel
Re: MSIISProbes.pm v1.03
On Thursday, September 20, 2001, at 09:41 AM, Nick Tonkin wrote: Hello, thanks to patches from Brice D. Ruth and others, a new version of MSIISProbes.pm is available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz Hi all - Can anyone provide a couple hints on getting this going with Tenon's iTools on MacOS X? For Reuven's CodeRed, it was just a matter of putting CodeRed.pm in /Library/Perl and adding the following code to the iTools.conf file (equivalent to httpd.conf). # added 08/06/01 PerlModule CodeRed Location /default.ida SetHandler perl-script PerlHandler CodeRed /Location I've since commented out the above lines. I've added MSIISProbes.pm to /Library/Perl and also tried it at /Library/Perl/Apache, with no effect. I restarted Apache after each change of code and/or location. There doesn't appear to be any output (nothing relevant in the logs and no email). # added 09/20/01 Location /default.ida SetHandler perl-script PerlHandler Apache::MSIISProbes PerlSetVar worm_name CodeRed PerlSetVar worm_url http://www.microsoft.com/technet/itsolutions/security/topics/codealrt.asp /Location RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.dir RewriteRule .* /nimda? [R,L] LocationMatch /nimda* SetHandler perl-script PerlHandler NPT::MSIISProbes PerlSetVar worm_name Nimda PerlSetVar worm_url http://www.microsoft.com/technet/security/topics/Nimda.asp /LocationMatch Any suggestions are greatly appreciated. Mike Schienle Interactive Visuals, Inc. http://www.ivsoftware.com
NIMDA worm; MSIISProbes.pm
Hello, Now that Micro$oft has finally put out some information about their latest trick I have posted a new version of MSIISProbes.pm. Version 1.02 changes include putting the URL to a page containing info about each worm into a PerlSetVar ... this means that once you have configured MSIISProbes.pm with your e-mail and cacheing preferences, you can add traps for new worms as Micro$oft releases them, er, discovers them. Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html Comments/flames welcome. - nick ~~~ Nick Tonkin
Re: NIMDA worm; MSIISProbes.pm
Nick Tonkin writes: Now that Micro$oft has finally put out some information about their latest trick I have posted a new version of MSIISProbes.pm. Version 1.02 changes include putting the URL to a page containing info about each worm into a PerlSetVar ... this means that once you have configured MSIISProbes.pm with your e-mail and cacheing preferences, you can add traps for new worms as Micro$oft releases them, er, discovers them. Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html I was looking at your Apache::MSIISProbes module, and I didn't understand the part about the nimda rewrite rules, mostly because I haven't used the rewrite rules. Do the following rules RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.dir RewriteRule .* /nimda? [R,L] mean unless I've already rewritten the rule, if the query string matches c.dir (i.e., will match c+dir found in most of the requests), rewrite the request as /nimda? From my observation, nimbda also tries c+tftp and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and /MSADC/Admin.dll. Could I change the rewrite rules to RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.(tftp|dir) RewriteRule .* /nimda? [R,L] to catch either request, and then do RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll RewriteRule .* /nimda? [R,L] to catch the others? Thanks.
Re: NIMDA worm; MSIISProbes.pm
On Wed, 19 Sep 2001, Bruce Albrecht wrote: I was looking at your Apache::MSIISProbes module, and I didn't understand the part about the nimda rewrite rules, mostly because I haven't used the rewrite rules. Do the following rules RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.dir RewriteRule .* /nimda? [R,L] mean unless I've already rewritten the rule, if the query string matches c.dir (i.e., will match c+dir found in most of the requests), rewrite the request as /nimda? right. From my observation, nimbda also tries c+tftp and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and /MSADC/Admin.dll. Could I change the rewrite rules to RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.(tftp|dir) RewriteRule .* /nimda? [R,L] to catch either request, and then do RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll RewriteRule .* /nimda? [R,L] to catch the others? Well, the rules you put forward seem fine, but I'm not sure you'll catch everything ... BTW the '?' on the end is to remove the query string ... if you leave it off mod_rewrite puts the original one back. - nick
MSIISProbes.pm
# the webmaster and/or postmaster addresses often doesn't work my $remote_webmaster_address = webmaster\@$mx_host, postmaster\@$mx_host, administrator\@$mx_host; # Set the outgoing message my $outgoing_message = EOT; Your Microsoft IIS server (at $remote_ip_address) appears to have been infected with the $worm_name worm. It attempted to spread to our Web server, despite the fact that we run Apache, which is immune. This was attempt number $count from the server at $remote_ip_address to infect our server. You should immediately view the latest information and download any available security patches, from $security_url{$worm_name}. Automatically generated by Apache::MSIISProbes version $VERSION for mod_perl and Apache running on $server_name. Information at $module_url. EOT # # Also send e-mail to the people running the offending host, # just in case SecurityFocus takes a while. $DEBUG 1 $r-warn(MSIISProbes: Sending e-mail to [$remote_webmaster_address]); my %mail = ( To = $remote_webmaster_address, CC = $cc_address, From= $from_address, Subject = $worm_name infection on [$remote_hostname]: Automatic report, Message = $outgoing_message ); my $sendmail_success = sendmail(%mail); if ($sendmail_success) { return FORBIDDEN; } else { $DEBUG 1 $r-warn(MSIISProbes: Mail::Sendmail returned [$Mail::Sendmail::error]. Exiting.); return DECLINED; } } # All modules must return a true value 1; __END__ =pod =head1 NAME Apache::MSIISProbes - Responds to worm attacks on Microsoft Internet Information Servers with e-mail warnings. =head1 SYNOPSIS In your httpd.conf, put something similar to the following: Location /default.ida SetHandler perl-script PerlHandler Apache::MSIISProbes PerlSetVar worm_name CodeRed /Location =head1 DESCRIPTION This Perl module should be invoked whenever the worms it knows about attack. We don't have to worry about such attacks on non-Windows boxes, but we can be good Internet citizens, warning the webmasters on infected machines of the problem and how to solve it. The module allows the user to add new configuration directives as new worms are discovered. =head1 USAGE In your httpd.conf, put directives similar to the following: Location /default.ida SetHandler perl-script PerlHandler Apache::MSIISProbes PerlSetVar worm_name CodeRed /Location RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.dir RewriteRule .* /nimda? [R,L] LocationMatch /nimda* SetHandler perl-script PerlHandler NPT::MSIISProbes PerlSetVar worm_name Nimda /LocationMatch BDuplicates Although rumor has it that CodeRed and other similar worms only attack a given IP once from a given host, experience shows this to be false. You can control the behavior of MSIISProbes.pm when it encounters a second or subsequent attempt from a given IP address. By default MSIISProbes.pm keeps a cache of IP addresses from which an attempt has originated, counting attempts per worm from the IP and including the count in each message it mails. You can override this behavior and send a message only the first time a given host attempts to spread the worm in a given period by setting the variable $store to a false value. This will cause the cache to be cleared at a given interval (by default, one day). Mail alerts to the IIS server's administrators will be sent only once per cache period. =head1 BUGS If the remote IP address fails a reverse DNS lookup, we don't send e-mail to anyone associated with that host. (We do, however, submit the IP address to SecurityFocus.) It would be nice to automatically determine which ISP is responsible for a particular IP address, and contact them automatically. =head1 LICENSE You may distribute this module under the same license as Perl itself. =head1 AUTHOR Author, current version: Nick Tonkin, [EMAIL PROTECTED] Original author: Reuven M. Lerner, [EMAIL PROTECTED] Thanks to Randal Schwartz, David Young, and Salve J. Nilsen for their suggestions. =head1 SEE ALSO Lmod_perl. =cut ~~~ Nick Tonkin
Re: MSIISProbes.pm
On Tue, 18 Sep 2001, Emad Fanous wrote: any reason why the private address spaces between 172.16.0.0-172.31.255.255 wasn't in your list of ignored ips? Thanks Emad That came from the original author's CodeRed.pm. But it's considered a configurable variable. ~~~ Nick Tonkin
Re: MSIISProbes.pm
On Tue, 18 Sep 2001, Nick Tonkin wrote: I used a real ugly mod_rewrite hack to grab the requests (I didn't want to lump all reqs for root.exe or cmd.exe into the same 'worm') ... I'm sure others can improve on that. (BTW am I right in thinking that RewriteEngine on needs to be specified for each virtual host?) Yes, RewriteEngine on RewriteRule ... [...] virtualhost ... [...] RewriteEngine on RewriteOptions inherit /virtualhost or something like that for each VirtualHost is your friend. :-) -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); more than a billion impressions per week, http://valueclick.com
Re: MSIISProbes.pm
On Tue, 18 Sep 2001, Ask Bjoern Hansen wrote: On Tue, 18 Sep 2001, Nick Tonkin wrote: I used a real ugly mod_rewrite hack to grab the requests (I didn't want to lump all reqs for root.exe or cmd.exe into the same 'worm') ... I'm sure others can improve on that. (BTW am I right in thinking that RewriteEngine on needs to be specified for each virtual host?) Yes, RewriteEngine on RewriteRule ... [...] virtualhost ... [...] RewriteEngine on RewriteOptions inherit /virtualhost or something like that for each VirtualHost is your friend. :-) Well, yeah, I figgered that out :) But it should inherit, sez I. -nick -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); more than a billion impressions per week, http://valueclick.com