do you have to have ipchains running or will this work without it! On Fri, 21 Dec 2001, Rogier Maas wrote:

Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already...

----- Original Message ----- From: To: Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log

...

Hi all,

I have this entries in my apache log. Anyone an idear what this is?

203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]

"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

...

HTTP/1.0" 404 205

Thanks

Armin

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

ok thanks for the info i guess then right now i cant use the script as i have no idea about ipchains and how or what i would need to do! thanks BOB On Fri, 21 Dec 2001, Rogier Maas wrote:

The script blocks the hosts by adding them to the ipchains IP filter. You'll have to have it in order for it to work. ;-)

When a host is blocked, it cannot surf to your box using port 80 anymore. So no more entries or hacking can be done on that port on your box.

Rogier

----- Original Message ----- From: "Bob B" To: "Rogier Maas" Cc: ; Sent: Friday, December 21, 2001 11:44 Subject: Re: [suse-security] Entriy in apache log

...

do you have to have ipchains running or will this work without it!

On Fri, 21 Dec 2001, Rogier Maas wrote:

...

Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already...

----- Original Message ----- From: To: Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log

...

Hi all,

I have this entries in my apache log. Anyone an idear what this is?

203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]

"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

...

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

...

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

...

NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc

...

bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

...

...

HTTP/1.0" 404 205

Thanks

Armin

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

ok let me ask this first can i just have ipchains on the box without changing and routig etc that is set now as i wouldnt want to make an major overhaul! On Fri, 21 Dec 2001, Rogier Maas wrote:

Well, if you have ipchains, the script can use it. There's no harm in trying!

If you need any help setting it up (which is fairly easy) or anything else, just mail me; I'd be happy to help out where I can.

Rogier ----- Original Message ----- From: "Bob B" To: "Rogier Maas" Cc: ; Sent: Friday, December 21, 2001 11:54 Subject: Re: [suse-security] Entriy in apache log

...

ok thanks for the info i guess then right now i cant use the script as i have no idea about ipchains and how or what i would need to do! thanks BOB

On Fri, 21 Dec 2001, Rogier Maas wrote:

...

The script blocks the hosts by adding them to the ipchains IP filter. You'll have to have it in order for it to work. ;-)

When a host is blocked, it cannot surf to your box using port 80 anymore. So no more entries or hacking can be done on that port on your box.

Rogier

----- Original Message ----- From: "Bob B" To: "Rogier Maas" Cc: ; Sent: Friday, December 21, 2001 11:44 Subject: Re: [suse-security] Entriy in apache log

...

do you have to have ipchains running or will this work without it!

On Fri, 21 Dec 2001, Rogier Maas wrote:

...

Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already...

----- Original Message ----- From: To: Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log

...

Hi all,

I have this entries in my apache log. Anyone an idear what this is?

203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]

"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

...

...

...

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

...

...

...

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

...

...

...

NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc

...

...

...

bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

...

...

...

...

HTTP/1.0" 404 205

Thanks

Armin

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

(Sorry, wasn't able to reply earlier due to a nameserver being down) Yes, that is very true. In fact, it wouldn't make sense at all to block them, unless the 'attacker' (which is an automated script running on a winblows box; the user doesn't even know it's there) is -really- attacking you. He'll soon find out that you aren't running an IIS server and either stop hacking or switch to 'Linux-mode', trying the Apache bugs. That should take him at least 2 or 3 seconds, then he is done, since there are maybe 1 or 2 'bugs' in Apache. ;-) I wrote this script to: - Learn bash - Learn ipchains - Have an excuse to make another webpage - Get those lame entries 'outta my accesslog' A filter between Apache and the accesslog would do fine too. Just pipe the log to a filter (using grep -v to show all line without the words you specify) and have the output written to the access_log. The advantage would be: no long listing of denied hosts, thus more speed, since ipchains has to go through all those entries onlt to find out it can let the packet through. Kind Regards, Rogier Maas ----- Original Message ----- From: "Markus Gaugusch" To: "Bob B" Cc: "Rogier Maas" ; Sent: Friday, December 21, 2001 12:03 Subject: Re: [suse-security] Entriy in apache log

...

ok let me ask this first can i just have ipchains on the box without changing and routig etc that is set now as i wouldnt want to make an major overhaul! This is no problem, but the whole thing (blocking nimda "attacks" to your linux box) is really useless, as many have non-static ip-adresses and you will soon have a huge blocking table, which results in poor performance. If you have really too much entries in your logs (filling up the disks), clean them with a script that removes all those entries or contact the provider of the infected hosts. Blocking of huge address ranges doesn't solve any problems.

Markus Gaugusch

-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com