also for weeding out worms

Story: Build 404 error page CGI handler brainsTotal Replies: 0
Author Content
gus3

Sep 16, 2007
7:03 PM EDT
When I ran a home webserver, I got hundreds or thousands of Nimda and Code Red worms knocking on my system, hoping it was running a default Microsoft IIS server. I wanted to clean up my logs, and stop the infected systems from doing anything with my own system. I set up a SUID ipchains in its own directory under /opt, then hacked a 404 script in Perl to check the request for signs of Nimda or Code Red. If it looked like one of these, it invoked the ipchains to immediately "-j DROP" all packets coming from the offending address.

Within a day, my Apache logs were much saner. When the list got up to 50 entries or so, I flushed it out and started fresh.

Caveat: If you take this approach, then run a vulnerability scanner such as Sussen from localhost, you *will* block yourself from your own system! (Hard-won experience talking here.) You could schedule an "at" job ten or twenty minutes out to flush the network blocks caused by the scan, and then all should be OK again.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!