Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Block Nimda and Code Red worms with shell script Internet
I decided to write a command line script to locate any hosts that are flooding my system with Nimda and CodeRed worm requests and add them to the "deny� list using the Macintosh OS X 10.2 IPFW utility, rather than relying on third party shareware GUI wrappers which do pretty much the same thing.

Here's the code to the wrmblk script; make sure you read the notes at the end:
#!/bin/sh
# ---------------------------------------------------------------------
# WRMBLK - Copyright 2002, Jeff Thompson
# ---------------------------------------------------------------------
# Block sites, which have originated Nimda and CodeRed queries, from
# Macintosh OS X 10.2 Apache web server, using the IPFW utility.
#
# Note: Apache must be configured with HostnameLookups Off
# ---------------------------------------------------------------------

echo WRMBLK - Nimda/CodeRed Worm Blocker
echo ------------------------------------------------------------------
echo Constructing list of CURRENTLY blocked host IP Addresses
ipfw list | grep 'deny ip from *.*.*.* to any' |
awk '{print $5}' | sort | uniq > /var/tmp/worms.blocked

echo Gathering new POTENTIAL worm hosts from the access log and blocking them
egrep -i "(cmd.exe|root.exe|default.ida|_vti_bin)" /var/log/httpd/access_log |
awk '{print $1}' | sort -n | uniq |
while read host
do
if (! fgrep $host /var/tmp/worms.blocked >/dev/null) then
echo Adding $host to blocked sites
echo $host>> /var/tmp/worms.blocked
ipfw add deny all from $host to any >/dev/null
fi
done

echo Done!
Notes:
  • The shell script I've written (wrmblk) should be installed in any directory that is included in your path environment variable (e.g. /usr/local/bin).

  • Make sure you set the rights of the file you've created using chmod (e.g. chmod 755 wrmblk).

  • I'm not sure if this is just on my system, but you have to run the shell script as root, so use the sudo command to do this (e.g. sudo wrmblk).

  • The shell script can be automated using a crontab entry and run once every night, or manually from the command line if you prefer.

  • The shell script creates a file, /var/tmp/worms.blocked, which you can view at any time to see which hosts are currently being blocked. I use this file in a SSI include on my Apache stats page.
[Editor's note: I have not tested this scr
    •    
  • Currently 5.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[14,353 views]  

Block Nimda and Code Red worms with shell script | 10 comments | Create New Account
Click here to return to the 'Block Nimda and Code Red worms with shell script' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Be careful
Authored by: seb2 on Sep 19, '02 12:26:04PM

Be careful with things like this. As soon as anybody knows you're automatically denying access to machines that are requesting specific URIs from your machine, this can very well be used against you.

Spoofing IP addresses or getting control over several machines and then sending requests on purpose can easily be done. Then blocking them *can* be a way to gradually make your machine unaccessible to the outside world.

If you're running a commercial web server, you might re-consider doing this.



[ Reply to This | # ]
Be careful
Authored by: Jeff Thompson on Sep 23, '02 12:35:08PM

Yeah, I've had other system admins advise me of the same thing. What they suggest is that you clear out your deny list every so often to allow people, who have since removed these virii, to get back into your web site. An even better option would be to create a rolling window of "denied" sites based on the date they were added, but IPFW doesn't support this (that I'm aware of) so an external list would need to be maintained.

IF you want to clear out ALL of the denied sites from your IPFW "deny list" use the following (wrmclr) shell script (same notes apply to this as the wrmblk shell script):

#!/bin/sh
# ----------------------------------------------------------------------------
# WRMCLR - Copyright 2002, Jeff Thompson
# ----------------------------------------------------------------------------
# CLEAR IPFW DENY list
# ----------------------------------------------------------------------------

echo WRMCLR - Clear Nimda/CodeRed DENY List
echo -------------------------------------------------------------------------
ipfw list | grep 'deny ip from *.*.*.* to any' |
awk '{print $1}' | sort -n | uniq |
while read rulez
do
echo Removing $rulez from IPFW deny list
ipfw delete $rulez >/dev/null
done



[ Reply to This | # ]
Times out....or something
Authored by: tsaar on Sep 19, '02 03:20:34PM

Hmmm...

either it takes too long to process the 969 + 52 'infected hosts' i have in my logs, or I'm just impatient.

The script starts fine, gives me no errors (well, it wouldn't would it) but also it does not do anything....

Anyone else have the same ?



[ Reply to This | # ]
Times out....or something
Authored by: tsaar on Sep 19, '02 03:38:26PM

I think your script ended up mutilated by pasting or something...
Should the line after Gatherin new potential worm host not contain something like

egrep -i "(cmd.exe|root.exe|default.ida|_vti_bin)" /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | /var/tmp/worms.new

?



[ Reply to This | # ]
Please disregard
Authored by: tsaar on Sep 19, '02 05:02:06PM

This script works just fine.

You may want to put it in /usr/bin though. :)



[ Reply to This | # ]
viri on Mac OS X
Authored by: mickeycoke on Sep 20, '02 12:35:27AM

Could someone please update me on the vulnerablity of Macs to viruses. I have only had the virus experience on Windows. I guess I need to be woken to the reality that they exist where I have never had problems before. After you educate me on "Mac viri vulnerability" could you educate me on why apple offers virus software on Idisk?

thanks!



[ Reply to This | # ]
viri on Mac OS X
Authored by: macubergeek on Sep 20, '02 12:49:31PM

of course everything might change in the future....
but there isn't much of a virus exposure on the mac platform and there is even less in macosx
why does apple offer virus protection on iDisk?

....marketing



[ Reply to This | # ]
viri on Mac OS X
Authored by: Glanz on Sep 23, '02 12:56:07PM

Even though it is very unlikely that a virus will affect a Mac machine directly, nevertheless they may be use to transfer viruses to Windows machines by simple communication via email.



[ Reply to This | # ]
Psionic PortSentry and LogSentry
Authored by: bluehz on Sep 20, '02 02:24:47PM

I use a nice free pkg on my Linux box that contains PortSentry, LogSentry, and HostSentry.See here for info:

http://www.psionic.com/products/trisentry.html

Basically - PortSentry watches for all sorts of malicious activity and then basns the IP's similar to what this script does, LogSentry keeps and eye on strange activity and notifies you via e-mail, and HostSentry does the same except in regards to logins, activity, etc.

The current PortSentry pkg at Psionic doesn't want to compile on OS X, but there is an older version made for OS X here:

http://www.osxgnu.org/software/Security/portsentry/

Also older version of LogSentry (called LogCheck) on teh same page above. Although I think the current version of LogSentry compiles fine...not sure.

PS - if anyone has any ideas on getting the current PortSentry 2.x to compile - info would be much appreciated. Here's the error:

cc -O -Wall -DBSD44 -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c -lpcap
./portsentry.h:55: header file 'netinet/ip_ether.h' not found
cpp-precomp: warning: errors during smart preprocessing, retrying in basic mode



[ Reply to This | # ]
Missing headers - was: Psionic PortSentry and LogSentry
Authored by: darkart on Oct 11, '02 04:36:52PM

Word from the darwin developers list is that some unix headers were removed in a late developer seed and were unintentionally left out of the final release of 10.2. You can get them by checking out the appropriate version of xnu from the darwin CVS (xnu-344.2 is what I have on a 10.2.1 (6D52) system). See the recent darwin-development archives for more info and discussion.

-eric



[ Reply to This | # ]