Full Disclosure mailing list archives
Re: More info on blocking the Bagle worm
From: Anders Henke <anders () schlund de>
Date: Tue, 20 Jan 2004 14:08:14 +0100
On January 18th 2004, Gadi Evron wrote:
From MooSoft (Daniel): Here is the URL list, all 404 last I checked:
Important note: while the script isn't found on any listed site, the affected web servers still do log the request; by analyzing the server logs, any site owner still receives a list of infected hosts. If one of those site owners is the beagle-author, he/she still gains enough information to contact infected machines. A few notes on the impact of beagle from an ISP's point of view - our company is hosting 10 out of the 35 sites listed at http://vil.nai.com/vil/content/v_100965.htm (we're hosting 3.5M of domains and also our largest competitor does host 9 beagle-sites, so don't wonder or misinterpret the "high" percentage).
From Monday on, every site hosted here and listed at NAI about 35 requests
per second for the non-existing scripts, resulting in about 3M of additional requests per site and day from more than 108k of different IPs. At our site, 404 is also somehow "expensive" (it is usually handled via CGI), so we're currently redirecting requests for the specific sites' non-existing 1.php with a 302 to "Location: http://localhost/". www.sttngdata.de seems to be so flooded that they changed DNS to point to 127.0.0.1. A few other hosts (especially those listed by IP or in .ru) seem to be completely unreachable by now. So from the ISP's point of view, beagle is also some kind of DDoS. Following are a few loglines (requested site and source-ip removed): x.x.x.x - - [20/Jan/2004:13:09:10 +0100] "GET /1.php?p=6777&id=47432653 HTTP/1.1" 302 231 "-" "beagle_beagle" x.x.x.x - - [20/Jan/2004:13:09:10 +0100] "GET /1.php?p=6777&id=65275748 HTTP/1.1" 302 231 "-" "beagle_beagle" If you wish to to detect those requests at proxy level or block at some other listed site, there are a few options as well as things to take care of: -all requests so far are using the unique UserAgent "beagle_beagle" (not bagle). At least from my point of view, disallowing server usage or proxy access to this UserAgent shouldn't do any harm at all. -all requests are calling "GET /1.php?p=6777&id=${some_number}", so =don't= use something like 'Rewriterule ^/1.php$ - [F]' for rejecting requests. Regards, Anders -- Schlund + Partner AG Security Brauerstrasse 48 v://49.721.91374.50 D-76135 Karlsruhe f://49.721.91374.225 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- More info on blocking the Bagle worm Gadi Evron (Jan 18)
- <Possible follow-ups>
- Re: More info on blocking the Bagle worm James Gray (Jan 19)
- Re: More info on blocking the Bagle worm Anders Henke (Jan 20)
- Re: More info on blocking the Bagle worm Anders Henke (Jan 23)