[aclug-L] Re: Hacker or ??
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
I just posted a script from Linux Journal that will let ip chains block
this attack.
It appears to be the new Nimba worm
The script text is below
Tech Tip
The Linux Journal web site, like others, is getting a lot of
traffic
from the Windows worm du jour. Here's the cron job our sysadmin
team
is using to block them from our Apache-based site.
#!/bin/sh
#
# Block sites which originate Nimba queries from Apache server
# Apache must be configured with HostnameLookups Off
LOGS=/var/log/httpd
cd $LOGS
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -s $host -j DENY -l
fi
done
Steven Saner wrote:
>
> Appears that this is the worm that Glandix reported. I got the
> readme.exe email this morning as well. It was made to appear like a
> bounce back message from someplace.
>
> Steve
>
> On Tue, Sep 18, 2001 at 12:49:24PM -0500, Joshua S Brown wrote:
> >
> > We are having the same problem on all our web servers. Is this a hack or
> > something like code red?
> >
> >
> > Josh Brown
> >
> > On Tue, 18 Sep 2001, Maverick wrote:
> >
> > >
> > > Hi, all
> > > Recently I check on my apache webserver access.log
> > > and find out a lot of entrie like this:
> > > 24.254.90.73 - - [18/Sep/2001:10:44:38 -0700] "GET
> > > /scripts/..%c0%af../winnt/sys
> > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > 24.254.90.73 - - [18/Sep/2001:10:44:39 -0700] "GET
> > > /scripts/..%%35%63../winnt/sy
> > > stem32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > 24.254.90.73 - - [18/Sep/2001:10:44:41 -0700] "GET
> > > /scripts/..%%35c../winnt/syst
> > > em32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > 24.254.90.73 - - [18/Sep/2001:10:44:43 -0700] "GET
> > > /scripts/..%c1%9c../winnt/sys
> > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > .....
> > >
> > > Is that someone try to access my /var/www/scripts/?
> > > and my error.log generate something like this..
> > > Tue Sep 18 10:52:27 2001] [error] [client
> > > 24.234.20.197] File does not exist: /
> > > var/www/c/winnt/system32/cmd.exe
> > > [Tue Sep 18 10:52:28 2001] [error] [client
> > > 24.234.20.197] File does not exist: /
> > > var/www/d/winnt/system32/cmd.exe
> > > ....
> > >
> > > anyone have any idea? or did I set something wrong?
> > > or really have a hacker knocking on my door?
> > >
> > > Thanks.
> > > Mav
> > >
> > > __________________________________________________
> > > Terrorist Attacks on U.S. - How can you help?
> > > Donate cash, emergency relief information
> > > http://dailynews.yahoo.com/fc/US/Emergency_Information/
> > > -- This is the discussion@xxxxxxxxx list. To unsubscribe,
> > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > >
> >
> >
> > -- This is the discussion@xxxxxxxxx list. To unsubscribe,
> > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> -- This is the discussion@xxxxxxxxx list. To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the discussion@xxxxxxxxx list. To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
- [aclug-L] Re: Hacker or ??, (continued)
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Steven Saner, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix, 2001/09/19
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, Joshua S Brown, 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??, gLaNDix (Jesse Kaufman), 2001/09/18
- [aclug-L] Re: Hacker or ??,
Jeff Vian <=
- [aclug-L] Re: Hacker or ??, Maverick, 2001/09/20
- [aclug-L] Re: Hacker or ??, gLaNDix, 2001/09/20
- [aclug-L] Re: Hacker or ??, Jeff Vian, 2001/09/20
[aclug-L] Re: Hacker or ??, Maverick, 2001/09/19
[aclug-L] Re: Hacker or ??, Ryan Hunt, 2001/09/18
|
|