Complete.Org: Mailing Lists: Archives: linux-help: September 2001:
[linux-help] new Nimba worm help.
Home

[linux-help] new Nimba worm help.

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx, linux-discussion@xxxxxxxxx
Subject: [linux-help] new Nimba worm help.
From: Jeff Vian <jvian10@xxxxxxxx>
Date: Wed, 19 Sep 2001 20:16:06 -0500
Reply-to: linux-help@xxxxxxxxx

I recently received this from the Linux Journal mailing list, and since
I know a lot of Linux users run Apache I hope it may be useful to some.

The script is run by cron

-------

Tech Tip

   The  Linux  Journal web site, like others, is getting a lot of
traffic
   from  the  Windows worm du jour. Here's the cron job our sysadmin
team
   is using to block them from our Apache-based site.

#!/bin/sh
#
# Block sites which originate Nimba queries from Apache server
# Apache must be configured with HostnameLookups Off

LOGS=/var/log/httpd

cd $LOGS

grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -s $host -j DENY -l
fi
done

---------
-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]