Block Nimda and Code Red worms with shell script

Sep 19, '02 08:47:38AM

Contributed by: Jeff Thompson

I decided to write a command line script to locate any hosts that are flooding my system with Nimda and CodeRed worm requests and add them to the "deny� list using the Macintosh OS X 10.2 IPFW utility, rather than relying on third party shareware GUI wrappers which do pretty much the same thing.

Here's the code to the wrmblk script; make sure you read the notes at the end:

#!/bin/sh
# ---------------------------------------------------------------------
# WRMBLK - Copyright 2002, Jeff Thompson
# ---------------------------------------------------------------------
# Block sites, which have originated Nimda and CodeRed queries, from
# Macintosh OS X 10.2 Apache web server, using the IPFW utility.
#
# Note: Apache must be configured with HostnameLookups Off
# ---------------------------------------------------------------------

echo WRMBLK - Nimda/CodeRed Worm Blocker
echo ------------------------------------------------------------------
echo Constructing list of CURRENTLY blocked host IP Addresses
ipfw list | grep 'deny ip from *.*.*.* to any' |
awk '{print $5}' | sort | uniq > /var/tmp/worms.blocked

echo Gathering new POTENTIAL worm hosts from the access log and blocking them
egrep -i "(cmd.exe|root.exe|default.ida|_vti_bin)" /var/log/httpd/access_log |
awk '{print $1}' | sort -n | uniq |
while read host
do
if (! fgrep $host /var/tmp/worms.blocked >/dev/null) then
echo Adding $host to blocked sites
echo $host>> /var/tmp/worms.blocked
ipfw add deny all from $host to any >/dev/null
fi
done

echo Done!
Notes:[Editor's note: I have not tested this scr

Comments (10)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20020919054738194