From: Dennis L. <db...@db...> - 2001-11-12 21:58:59
|
> Kind of an odd request, but I find myself doing this more often than > not now with Nimda proliferating all over the place... > > FreeBSD uses a blackhole feature to throw IP/Net's into a null route > using a route add command as in this example: > > route add -net IP -netmask 255.255... 127.0.0.1 -blackhole I am a very new Linux user, so the following advice is supplied with a virtual grain of salt..... I noticed after looking at my apache logs that I was getting random hits from reasonably local IPs (Class B subnets, Roadrunner 65.25.x.x) that are looking to run 'cmd.exe' and 'root.exe'. (All of this makes me very glad I've chosen Linux to run instead of W2k server.) I started adding the IP address to ipchains manually to block out the infected sites and quickly tired of the process. I was thinking that I could write a script to search the logs for IPs that are trying to run 'cmd.exe' or 'root.exe', grab the IP address, then pipe the IP address to a command for inclusion (with formatting) into the ipchains file. Then restart ipchains. Someday I'll have to learn how to write that. I've posted a snapshot of my logfile, if anyone would like to have a shot at how to parse the IPs out of it :-). http://www.dblewis.com/logfile.html That script could be run (cron) once a week, once a day perhaps if you change the logrotate settings (to avoid duplicate IPs).... Only problem is that you'd be denying access to the server from lots of IPs. Not that I care about that on my server. I was very surprised by the traffic created by these worms. My access and error logs are each approaching 1 meg a week, and it's not traffic from the pictures of my kids. BTW, this is the CodeRed.c worm. (Link from McAfee follows) http://vil.nai.com/vil/virusSummary.asp?virus_k=99177 Dennis Lewis (db...@db...) "I'm allergic to grass. Hey, it could be worse, I could be allergic to beer." --Golfer Greg Norman |