[Dev] Blocking MTD's

Mike Johnson dev@trilug.org
Thu, 28 Feb 2002 16:00:13 -0500 

--9dgjiU4MmWPVapMU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


First, not to get in another 'list war', you'd get better responses
for this from the main TriLUG list.

That said...

nathan@natejoke.dhs.org [nathan@natejoke.dhs.org] wrote:
=20
> XX.XX.XX.XXX - - [28/Feb/2002:05:44:58 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 224

A couple things.

That's going to be Nimda or CodeRed, almost certainly.  Second,
given that this is likely Nimda or CodeRed, you've just posted
the IP address of a system that's easily compromised to a public
list.  Congratulations.
=20
> Right now I have a script that reads the log file, and automatically
> DROP's the packets from whomever looks like an MTD spreader.  This is
> little better than the problem though, as it fires up my harddisk every
> few minutes.  (I'll be happy to share this perl script if anyone wants
> to see it. ) Also, by the time I drop them, I've already got 10+ entries =
in
> the log file from that IP, and I will only be blocking future packets
> from that IP.  In other words... the annoyance has already happend. ( Is
> that a word? )

So, you just want the log entries to go away?  Check out:
http://online.securityfocus.com/archive/75/215203

By using that, your disk is never fired up and you can get rid
of the log entries.

If you really want to automatically set drop rules, look at:
http://www.keyslapper.org/Nimda/

And modify it so that rather than sending an e-mail, it=20
adds a new drop entry.
=20
> Is it possible to have the firewall ( iptables v1.2.1a on RH7.2 )
> inspect the contents of each packet for signatures of MTD's?

There is a patch to netfilter that allows for string matching,
but it's really not very robust.  If you want to look into it,
you'll need to fetch the latest netfilter from:
http://www.netfilter.org/downloads.html
and compile with string matching support.

You could also look at Hogwash (http://hogwash.sourceforge.net/)
which can do blocking based on packet contents.  It's based
on snort, but snort does not do any blocking (and will just
create more data to sift through, if you don't care).
=20
> If not, is there a way to have apache log it's ouput to both a file and
> a program?  That way, my perl script would only cause disk activity by
> writing a new rule to the firewall.

Look at the rewrite rules from the securityfocus link, or the
Nimda mod_perl module (linked above).
=20
> My apologies if this does not fit the usual forum topic parameters.

Again, you can post here all ya want, but you'll get -better-
answers on the main trilug discuss list.

Mike
--=20
"Let the power of Ponch compel you!  Let the power of Ponch compel you!"
   -- Zorak on Space Ghost

GNUPG Key fingerprint =3D ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key =3D http://www.enoch.org/mike/mike.pubkey.asc

--9dgjiU4MmWPVapMU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8fppcicTfml3dldERAj2WAJ9kb7DUp59bT9JT6TUTbkysuPTlqQCeMSsF
j9m9tD9ToepUwFosh/KUaJ4=
=hKYG
-----END PGP SIGNATURE-----

--9dgjiU4MmWPVapMU--