FW: Nimda Worm Mitigation

["Jason Lewis" <jlewis () packetnexus com>]

I thought this was worth sharing.  Thanks Nate.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.


On Tue, 18 Sep 2001, Jason Lewis wrote:

> How about something that tails an apache log file and adds ipchains rules
to
> kill infected IP's? Anyone want to write it?

I've added ".exe" next to ".cgi" in my httpd.conf.  Then I created
"root.exe" and "cmd.exe" symlinks to a suid perl script that adds an
ipchains deny rule for $ENV{'REMOTE_ADDR'}.

##########################################################################
#!/usr/bin/perl -w

my $RemoteIP = $ENV{'REMOTE_ADDR'};

if ($RemoteIP =~ /^([0-9.]+)$/)
{
        $RemoteIP = $1;      # untainted
}
else
{
        die "Bad data in RemoteIP: $RemoteIP";
}

print <<EOF;
Content-type: text/html

This site not hacked by chinese.

EOF

$ENV{'PATH'} = '/bin:/usr/bin:/sbin';

my $Command = "/usr/local/sbin/ban $RemoteIP CodeBlue";

my $Result = `$Command`;


##########################################################################
# this is /usr/local/sbin/ban, something I use for various honeypots

/sbin/ipchains -I input -s $1 -j DENY -l
echo `date` $1 $2 $3 $4 $5 >>  /usr/local/etc/ipchains.deny

#####

This is what my web site looks like if you access it by the IP address:

$ dir IP
total 8
lrwxrwxrwx    1 root     root            8 Sep 18 10:21 MSADC -> honeypot
lrwxrwxrwx    1 root     root            9 Sep 18 10:31 _mem_bin ->
honeypot/
lrwxrwxrwx    1 root     root            8 Sep 18 10:21 c -> honeypot
lrwxrwxrwx    1 root     root            9 Sep 18 10:30 d -> honeypot/
lrwxrwxrwx    1 root     root           10 Aug  6 13:46 default.ida ->
index.html
drwxr-xr-x    3 root     root         4096 Sep 18 10:40 honeypot
-rw-r--r--    1 root     root          101 Aug  6 02:25 index.html
lrwxrwxrwx    1 root     root            9 Sep 18 10:31 msadc -> honeypot/
lrwxrwxrwx    1 root     root            8 Sep 18 10:21 scripts -> honeypot

$ dir IP/honeypot
total 8
-rwsr-sr-x    1 root     root          373 Sep 18 11:35 ban.cgi
lrwxrwxrwx    1 root     root            7 Sep 18 10:33 home.cgi -> ban.cgi
lrwxrwxrwx    1 root     root            8 Sep 18 10:22 root.exe -> home.cgi
drwxr-xr-x    3 root     root         4096 Sep 18 10:36 winnt

Hmmmm, I guess I should make the .ida extension executable and symlink
default.ida to the ban script.  Anyhow, I usually don't hear from an
infected box more than once.  Feel free to forward this to the list, but
if you do, please DO NOT include my email address.  I don't like the way
the archives make everyone's addresses available to spammers.  Kind of
ironic behavior for a security organization, really. :-)

Cheers,

Nate Waddoups
Redmond WA USA
http://www.natew.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com