Hi all, I have this entries in my apache log. Anyone an idear what this is? 203.236.245.154 - - [18/Dec/2001:21:23:54 +0100] "GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205 Thanks Armin
Nimbda / Code Red abaesche@worklab.de wrote:
Hi all,
I have this entries in my apache log. Anyone an idear what this is?
203.236.245.154 - - [18/Dec/2001:21:23:54 +0100] "GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205
Thanks
Armin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I have this entries in my apache log. Anyone an idear what this is? 203.236.245.154 - - [18/Dec/2001:21:23:54 +0100] "GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a This is a Nimda or Code Red attack signature. It doesn't affect apache, don't worry (and be glad for not choosing IIS :)
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Yes; Code red.. I wrote myself a little script to block all those hosts
trying certain url's. It's on http://antinimda.hafnet.com for download. It
also shows the amount of hosts blocked. It's amazing how many blocks I have
already...
----- Original Message -----
From:
Hi all,
I have this entries in my apache log. Anyone an idear what this is?
203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]
"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205
Thanks
Armin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
do you have to have ipchains running or will this work without it! On Fri, 21 Dec 2001, Rogier Maas wrote:
Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already...
----- Original Message ----- From:
To: Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log Hi all,
I have this entries in my apache log. Anyone an idear what this is?
203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]
"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205
Thanks
Armin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
The script blocks the hosts by adding them to the ipchains IP filter. You'll
have to have it in order for it to work. ;-)
When a host is blocked, it cannot surf to your box using port 80 anymore. So
no more entries or hacking can be done on that port on your box.
Rogier
----- Original Message -----
From: "Bob B"
do you have to have ipchains running or will this work without it!
On Fri, 21 Dec 2001, Rogier Maas wrote:
Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already...
----- Original Message ----- From:
To: Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log Hi all,
I have this entries in my apache log. Anyone an idear what this is?
203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]
"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205
Thanks
Armin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
ok thanks for the info i guess then right now i cant use the script as i have no idea about ipchains and how or what i would need to do! thanks BOB On Fri, 21 Dec 2001, Rogier Maas wrote:
The script blocks the hosts by adding them to the ipchains IP filter. You'll have to have it in order for it to work. ;-)
When a host is blocked, it cannot surf to your box using port 80 anymore. So no more entries or hacking can be done on that port on your box.
Rogier
----- Original Message ----- From: "Bob B"
To: "Rogier Maas" Cc: ; Sent: Friday, December 21, 2001 11:44 Subject: Re: [suse-security] Entriy in apache log do you have to have ipchains running or will this work without it!
On Fri, 21 Dec 2001, Rogier Maas wrote:
Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already...
----- Original Message ----- From:
To: Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log Hi all,
I have this entries in my apache log. Anyone an idear what this is?
203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]
"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205
Thanks
Armin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Well, if you have ipchains, the script can use it. There's no harm in
trying!
If you need any help setting it up (which is fairly easy) or anything else,
just mail me; I'd be happy to help out where I can.
Rogier
----- Original Message -----
From: "Bob B"
ok thanks for the info i guess then right now i cant use the script as i have no idea about ipchains and how or what i would need to do! thanks BOB
On Fri, 21 Dec 2001, Rogier Maas wrote:
The script blocks the hosts by adding them to the ipchains IP filter. You'll have to have it in order for it to work. ;-)
When a host is blocked, it cannot surf to your box using port 80 anymore. So no more entries or hacking can be done on that port on your box.
Rogier
----- Original Message ----- From: "Bob B"
To: "Rogier Maas" Cc: ; Sent: Friday, December 21, 2001 11:44 Subject: Re: [suse-security] Entriy in apache log do you have to have ipchains running or will this work without it!
On Fri, 21 Dec 2001, Rogier Maas wrote:
Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already...
----- Original Message ----- From:
To: Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log Hi all,
I have this entries in my apache log. Anyone an idear what this is?
203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]
"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205
Thanks
Armin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
ok let me ask this first can i just have ipchains on the box without changing and routig etc that is set now as i wouldnt want to make an major overhaul! On Fri, 21 Dec 2001, Rogier Maas wrote:
Well, if you have ipchains, the script can use it. There's no harm in trying!
If you need any help setting it up (which is fairly easy) or anything else, just mail me; I'd be happy to help out where I can.
Rogier ----- Original Message ----- From: "Bob B"
To: "Rogier Maas" Cc: ; Sent: Friday, December 21, 2001 11:54 Subject: Re: [suse-security] Entriy in apache log ok thanks for the info i guess then right now i cant use the script as i have no idea about ipchains and how or what i would need to do! thanks BOB
On Fri, 21 Dec 2001, Rogier Maas wrote:
The script blocks the hosts by adding them to the ipchains IP filter. You'll have to have it in order for it to work. ;-)
When a host is blocked, it cannot surf to your box using port 80 anymore. So no more entries or hacking can be done on that port on your box.
Rogier
----- Original Message ----- From: "Bob B"
To: "Rogier Maas" Cc: ; Sent: Friday, December 21, 2001 11:44 Subject: Re: [suse-security] Entriy in apache log do you have to have ipchains running or will this work without it!
On Fri, 21 Dec 2001, Rogier Maas wrote:
Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already...
----- Original Message ----- From:
To: Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log Hi all,
I have this entries in my apache log. Anyone an idear what this is?
203.236.245.154 - - [18/Dec/2001:21:23:54 +0100]
"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205
Thanks
Armin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
ok let me ask this first can i just have ipchains on the box without changing and routig etc that is set now as i wouldnt want to make an major overhaul! This is no problem, but the whole thing (blocking nimda "attacks" to your linux box) is really useless, as many have non-static ip-adresses and you will soon have a huge blocking table, which results in poor performance. If you have really too much entries in your logs (filling up the disks), clean them with a script that removes all those entries or contact the provider of the infected hosts. Blocking of huge address ranges doesn't solve any problems.
Markus Gaugusch -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
(Sorry, wasn't able to reply earlier due to a nameserver being down)
Yes, that is very true. In fact, it wouldn't make sense at all to block
them, unless the 'attacker' (which is an automated script running on a
winblows box; the user doesn't even know it's there) is -really- attacking
you. He'll soon find out that you aren't running an IIS server and either
stop hacking or switch to 'Linux-mode', trying the Apache bugs. That should
take him at least 2 or 3 seconds, then he is done, since there are maybe 1
or 2 'bugs' in Apache. ;-)
I wrote this script to:
- Learn bash
- Learn ipchains
- Have an excuse to make another webpage
- Get those lame entries 'outta my accesslog'
A filter between Apache and the accesslog would do fine too. Just pipe the
log to a filter (using grep -v to show all line without the words you
specify) and have the output written to the access_log. The advantage would
be: no long listing of denied hosts, thus more speed, since ipchains has to
go through all those entries onlt to find out it can let the packet through.
Kind Regards,
Rogier Maas
----- Original Message -----
From: "Markus Gaugusch"
ok let me ask this first can i just have ipchains on the box without changing and routig etc that is set now as i wouldnt want to make an major overhaul! This is no problem, but the whole thing (blocking nimda "attacks" to your linux box) is really useless, as many have non-static ip-adresses and you will soon have a huge blocking table, which results in poor performance. If you have really too much entries in your logs (filling up the disks), clean them with a script that removes all those entries or contact the provider of the infected hosts. Blocking of huge address ranges doesn't solve any problems.
Markus Gaugusch
-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, * Bob B wrote on Fri, Dec 21, 2001 at 06:00 -0500:
ok let me ask this first can i just have ipchains on the box without changing and routig
"ipchains" is a tool for configuring firewall rules. You don't need to change the routing table nor the color of the screensaver :)
etc that is set now as i wouldnt want to make an major overhaul!
Please be really careful with automatic blocking firewall scripts. Did you tested what happens when a proxy connects? Get the proxy blocked? What with the other people behind that proxy? And so on. Nimda cannot infect Linux via Apache, so you may decide to ignore it silently :) [130 lines cut] Please don't full quote the original mail. Write text under the text you are citing, and cite intelligently. Maybe you'll find some time to study the Nettiquette a little. Thank you. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (6)
-
abaesche@worklab.de
-
Bob B
-
Markus Gaugusch
-
Rogier Maas
-
Simon Oliver
-
Steffen Dettmer