Sep 19, '02 08:47:38AM • Contributed by: Jeff Thompson
Here's the code to the wrmblk script; make sure you read the notes at the end:
#!/bin/shNotes:
# ---------------------------------------------------------------------
# WRMBLK - Copyright 2002, Jeff Thompson
# ---------------------------------------------------------------------
# Block sites, which have originated Nimda and CodeRed queries, from
# Macintosh OS X 10.2 Apache web server, using the IPFW utility.
#
# Note: Apache must be configured with HostnameLookups Off
# ---------------------------------------------------------------------
echo WRMBLK - Nimda/CodeRed Worm Blocker
echo ------------------------------------------------------------------
echo Constructing list of CURRENTLY blocked host IP Addresses
ipfw list | grep 'deny ip from *.*.*.* to any' |
awk '{print $5}' | sort | uniq > /var/tmp/worms.blocked
echo Gathering new POTENTIAL worm hosts from the access log and blocking them
egrep -i "(cmd.exe|root.exe|default.ida|_vti_bin)" /var/log/httpd/access_log |
awk '{print $1}' | sort -n | uniq |
while read host
do
if (! fgrep $host /var/tmp/worms.blocked >/dev/null) then
echo Adding $host to blocked sites
echo $host>> /var/tmp/worms.blocked
ipfw add deny all from $host to any >/dev/null
fi
done
echo Done!
- The shell script I've written (wrmblk) should be installed in any directory that is included in your path environment variable (e.g. /usr/local/bin).
- Make sure you set the rights of the file you've created using chmod (e.g. chmod 755 wrmblk).
- I'm not sure if this is just on my system, but you have to run the shell script as root, so use the sudo command to do this (e.g. sudo wrmblk).
- The shell script can be automated using a crontab entry and run once every night, or manually from the command line if you prefer.
- The shell script creates a file, /var/tmp/worms.blocked, which you can view at any time to see which hosts are currently being blocked. I use this file in a SSI include on my Apache stats page.
