Re: Blocking Nimda and kin

[Peter W <peterw () usa net>]

On Tue, Nov 06, 2001 at 07:43:56PM -0700, Brett Glass wrote:

> Just thought the denizens of the Bugtraq list might be interested in a 
> quick fix for Apache which instantly blocks Nimda (all variants), Code 
> Red, sadmind/IIS, and kin.

> To quickly blackhole the worms, just add the following to your logging 
> configuration in Apache's httpd.conf file.

> SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda

> CustomLog "|exec sh" "route -nq add -host %400,404a 127.0.0.1 -blackhole"  env=nimda

This is very cool stuff. So I can get someone to view an HTML page|email
with code like <img alt="" height="0" width="0" hspace="0" vspace="0"
src="http://brettglass.example.com/winnt/system32/cmd.exe";>, I can easily
prevent them, or anyone else coming from the same space, from reaching your
Web server. Get some AOL users to read the messages and bye-bye to all the
AOL proxy server traffic. Get lots of usenet "victims", and even if they
don't care about your Web site, man, your routing table suddenly looks bad.

Very (un)cool.

-Peter

P.S. If that exec sh route thing actually works, does that mean your httpd 
is running as root? Or is "route" a SUID wrapper, so the httpd user only has 
the ability to wreck your routing table? Just curious.