[Dshield] Here's a good idea

Rick Klinge rick at jaray.net
Tue Apr 20 16:19:23 GMT 2004


> > > cmdblock: A tool that scans Apache logs and adds IIS 
> exploiters to 
> > > an iptable ruleset.
> > 
> > You definitely want to be careful using "auto-blockers" like this.
> 
> In particular if you are blocking Code Red exploited systems. 
> Not much point in doing so. First of all, if you are actually 
> vulnerable, its 
> to late. Secondly, the chances of blocking some innocent 
> proxy server and with it a larger network are high (not all 
> proxy servers add 
> respective headers).
> 
> Blocking only makes sense if you expect further and worse 
> attacks from this system. Cleaning your Apache logs from Code 
> Red / Nimda hits 
> doesn't improve your security.
> 

Wouldn't something like this help?  Don't know if it will work for Apache
but maybe IIS?

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<%

'Get the entire URL requested
myRequest=Request.ServerVariables("QUERY_STRING")

'A list of filenames Nimda looks for
myBadList="cmd.exe,root.exe,admin.dll,default.ida,root.exe,nsiislog.dll,ntdl
l.dll"

'Detect a bogus GET request and take appropriate action
arrBadString=Split(myBadList,",")
for i=0 to UBound(arrBadString)
 	if inStr(myRequest,arrBadString(i))>0 then
 		'turn offending server back on itself
 		Response.redirect "http://127.0.0.1";
 	end if
next
%>

<head>

<META NAME="ROBOTS" CONTENT="NOINDEX">

<title>The page cannot be found</title>

<META HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252">
<style fprolloverstyle>A:hover {color: #0000FF; font-weight: bold}
</style>
</head>

<p>&nbsp;</p>
<p>&nbsp;</p>
<p align="center"><font size="5" face="Arial Rounded MT Bold"><b>The page
you
requested could not be found.</b></font></p>

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list