[Dshield] PHP attacks (was Re:Destructive botnet originating from Japan]

David Cary Hart DShield at TQMcube.com
Sun Dec 25 20:21:23 GMT 2005


On Sat, 24 Dec 2005 18:07:55 -0600
Frank Knobbe <frank at knobbe.us> opined:
> 
> I wrote a quick hack the other day to import these type of events and
> have Snortsam block these hosts automatically. Let me know if you want a
> copy of that particular feed.
> 
Also, see the adaptive firewall tutorial from today's rss feed:
http://isc.sans.org/diary.php?rss&storyid=962

I just posted a couple of apparent "corrections."

I also wanted to retain unique log identification which precludes putting the
three rules into a chain. To simplify this, I created a list of trigger words
in file "keys" and then used the following script to create a script to enter
the rules in one shot. This could be done with a single script but I wanted to
review the rules first.

#!/bin/bash
echo "#!/bin/bash" >iptdo2
echo "iptables -A INPUT -m recent --update --seconds 3000 -j REJECT --reject-with icmp-host-prohibited" >>iptdo2
while read key; do
echo "iptables -A INPUT -p TCP --dport 80 -m string --algo bm --string \"$key\" -j LOG --log-prefix \" <-$key-> \"" >>iptdo2
echo "iptables -A INPUT -p TCP --dport 80 -m string --algo bm --string \"$key\" -j REJECT --reject-with icmp-host-prohibited" >>iptdo2
echo "iptables -A INPUT -p TCP --dport 80 -m string --algo bm --string \"$key\" -m recent --set" >>iptdo2
done <keys
echo "iptables-save >/etc/sysconfig/iptables" >>iptdo2

-- 
Our DNSRBL - 
           Eliminate Spam: http://www.TQMcube.com/spam_trap.php
          Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
            Zombie Graphs: http://www.TQMcube.com/zombies.php
              GeoGraphics: http://www.TQMcube.com/origins.php


More information about the list mailing list