Complete.Org: Mailing Lists: Archives: discussion: September 2001:
[aclug-L] Re: Hacker or ?? 		Home

[aclug-L] Re: Hacker or ??

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: discussion@xxxxxxxxx
Subject: [aclug-L] Re: Hacker or ??
From: Jeff Vian <jvian10@xxxxxxxx>
Date: Wed, 19 Sep 2001 20:29:11 -0500
Reply-to: discussion@xxxxxxxxx 
I just posted a script from Linux Journal that will let ip chains block
this attack.
It appears to be the new Nimba worm

The script text is below




Tech Tip

   The  Linux  Journal web site, like others, is getting a lot of
traffic
   from  the  Windows worm du jour. Here's the cron job our sysadmin
team
   is using to block them from our Apache-based site.

#!/bin/sh
#
# Block sites which originate Nimba queries from Apache server
# Apache must be configured with HostnameLookups Off

LOGS=/var/log/httpd

cd $LOGS

grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -s $host -j DENY -l
fi
done







Steven Saner wrote:
> 
> Appears that this is the worm that Glandix reported. I got the
> readme.exe email this morning as well. It was made to appear like a
> bounce back message from someplace.
> 
> Steve
> 
> On Tue, Sep 18, 2001 at 12:49:24PM -0500, Joshua S Brown wrote:
> >
> > We are having the same problem on all our web servers. Is this a hack or
> > something like code red?
> >
> >
> > Josh Brown
> >
> > On Tue, 18 Sep 2001, Maverick wrote:
> >
> > >
> > > Hi, all
> > >  Recently I check on my apache webserver access.log
> > > and find out a lot of entrie like this:
> > > 24.254.90.73 - - [18/Sep/2001:10:44:38 -0700] "GET
> > > /scripts/..%c0%af../winnt/sys
> > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > 24.254.90.73 - - [18/Sep/2001:10:44:39 -0700] "GET
> > > /scripts/..%%35%63../winnt/sy
> > > stem32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > 24.254.90.73 - - [18/Sep/2001:10:44:41 -0700] "GET
> > > /scripts/..%%35c../winnt/syst
> > > em32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > 24.254.90.73 - - [18/Sep/2001:10:44:43 -0700] "GET
> > > /scripts/..%c1%9c../winnt/sys
> > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > .....
> > >
> > > Is that someone try to access my /var/www/scripts/?
> > > and my error.log generate something like this..
> > > Tue Sep 18 10:52:27 2001] [error] [client
> > > 24.234.20.197] File does not exist: /
> > > var/www/c/winnt/system32/cmd.exe
> > > [Tue Sep 18 10:52:28 2001] [error] [client
> > > 24.234.20.197] File does not exist: /
> > > var/www/d/winnt/system32/cmd.exe
> > > ....
> > >
> > > anyone have any idea? or did I set something wrong?
> > > or really have a hacker knocking on my door?
> > >
> > > Thanks.
> > > Mav
> > >
> > > __________________________________________________
> > > Terrorist Attacks on U.S. - How can you help?
> > > Donate cash, emergency relief information
> > > http://dailynews.yahoo.com/fc/US/Emergency_Information/
> > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > >
> >
> >
> > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
[Prev in Thread] Current Thread [Next in Thread]