Blocking Nimda and kin

[Brett Glass <brett () lariat org>]

Just thought the denizens of the Bugtraq list might be interested in a 
quick fix for Apache which instantly blocks Nimda (all variants), Code 
Red, sadmind/IIS, and kin. (I don't use IIS, but cobbled this up after 
watching in annoyance as my Apache Web server logs blew up with endless 
probes from the worms.)

To quickly blackhole the worms, just add the following to your logging 
configuration in Apache's httpd.conf file. Note that this particular 
version (written for FreeBSD) doesn't assume the presence of a firewall; 
it installs a blackhole route to block the offending machine. It allows 
the first SYN through, but disrupts the TCP three-way handshake so that 
the session is never established. It's more efficient to firewall the 
infected host either on the local machine or at the upstream router; to 
do this, just change the last line.

--Brett Glass

# Flag requests for URIs containing known strings from
# Nimda-like worms (including Code Red, sadmind/IIS)
# Note that the patterns below are regexes; escape your dots!

SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda
SetEnvIf Request_URI "/scripts/root\.exe" nimda
SetEnvIf Request_URI "/MSADC/root\.exe" nimda
SetEnvIf Request_URI "/\.\." nimda
SetEnvIf Request_URI "\.\./" nimda

# Block attackers who send the patterns above (and get a 400 or 404 response)
# via the routing table. It's more efficient to firewall (the command
# will vary depending upon the firewall in use) or use SSH to add rules to
# an upstream firewall to block the attacker. If several commands must
# be executed, it may be best to invoke a script rather than doing
# all the work from within httpd.conf.

CustomLog "|exec sh" "route -nq add -host %400,404a 127.0.0.1 -blackhole" 
env=nimda