Complete.Org: Mailing Lists: Archives: linux-help: September 2001:
[linux-help] Re: new Nimba worm help.
Home

[linux-help] Re: new Nimba worm help.

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: new Nimba worm help.
From: Jeff Vian <jvian10@xxxxxxxx>
Date: Thu, 20 Sep 2001 12:05:24 -0500
Reply-to: linux-help@xxxxxxxxx

I don't use bsd, but whatever the command line would be for adding a new
rule for the filter would work.  The only key here is the use of the
variable host to get the ip address to add into the new filter rule.

gLaNDix wrote:
> 
> Ok, I don't have much (read: any) experience w/ ipchains... is it
> basically the linux equiv of ipfw for freebsd (or vice versa)?  If so,
> then this should do about the same thing in freebsd (assuming you want
> to be really anal and completely block sites from having any access to
> your network what-so-ever!):
> 
> > #!/bin/sh
> > #
> > # Block sites which originate Nimba queries from Apache server
> > # Apache must be configured with HostnameLookups Off
> >
> > LOGS=/var/log/httpd
> >
> > cd $LOGS
> >
> > grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
> > awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,"");print $1}' |
> > sort -u |
> > while read host
> > do
> > if ! fgrep $host /var/tmp/blocked >/dev/null
> > then
> > echo $host >>/var/tmp/blocked
> > /sbin/ipfw add deny all from $host to any
> > fi
> > done
> 
> ...  don't know about ipchains, but it would also be nice to have a way
> to add the entry to my ipfw.conf, but for now this will do fine!
> 
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]