[23089] in bugtraq
Re: Blocking Nimda and kin
daemon@ATHENA.MIT.EDU (Peter W)
Fri Nov 9 01:55:16 2001
Date: Thu, 8 Nov 2001 17:46:53 -0500
From: Peter W <peterw@usa.net>
To: Brett Glass <brett@lariat.org>
Cc: bugtraq@securityfocus.com
Message-ID: <20011108174653.J5819@usa.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4.3.2.7.2.20011106181212.03eec320@localhost>; from brett@lariat.org on Tue, Nov 06, 2001 at 07:43:56PM -0700
On Tue, Nov 06, 2001 at 07:43:56PM -0700, Brett Glass wrote:
> Just thought the denizens of the Bugtraq list might be interested in a
> quick fix for Apache which instantly blocks Nimda (all variants), Code
> Red, sadmind/IIS, and kin.
> To quickly blackhole the worms, just add the following to your logging
> configuration in Apache's httpd.conf file.
> SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda
> CustomLog "|exec sh" "route -nq add -host %400,404a 127.0.0.1 -blackhole" env=nimda
This is very cool stuff. So I can get someone to view an HTML page|email
with code like <img alt="" height="0" width="0" hspace="0" vspace="0"
src="http://brettglass.example.com/winnt/system32/cmd.exe">, I can easily
prevent them, or anyone else coming from the same space, from reaching your
Web server. Get some AOL users to read the messages and bye-bye to all the
AOL proxy server traffic. Get lots of usenet "victims", and even if they
don't care about your Web site, man, your routing table suddenly looks bad.
Very (un)cool.
-Peter
P.S. If that exec sh route thing actually works, does that mean your httpd
is running as root? Or is "route" a SUID wrapper, so the httpd user only has
the ability to wreck your routing table? Just curious.
