[linux-help] new Nimba worm help.
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
I recently received this from the Linux Journal mailing list, and since
I know a lot of Linux users run Apache I hope it may be useful to some.
The script is run by cron
-------
Tech Tip
The Linux Journal web site, like others, is getting a lot of
traffic
from the Windows worm du jour. Here's the cron job our sysadmin
team
is using to block them from our Apache-based site.
#!/bin/sh
#
# Block sites which originate Nimba queries from Apache server
# Apache must be configured with HostnameLookups Off
LOGS=/var/log/httpd
cd $LOGS
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -s $host -j DENY -l
fi
done
---------
-- This is the linux-help@xxxxxxxxx list. To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
- [linux-help] new Nimba worm help.,
Jeff Vian <=
|
|
