[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Code Red

Subject: Re: [cobalt-users] Code Red
From: Jason Woods <jwoods@xxxxxxxxxxxxxxx>
Date: Wed Aug 29 22:16:17 2001
Organization: Oakland Corporation
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Jason Vaughan wrote:
> 
> There have been frequent threads about Code Red and even a few
> scripts to check how many times it has attacked.
> 
> Here is a challenge for any top scripters out there...
> 
> Write a script which monitors the access log and if it sees tell tale
> signs (e.g requests for .ida) it then blocks that IP address, using
> IPCHAINS or similar.
> 
> I don't even know if this would help but if the Code Red could not
> even see the server, would it not just go away and bother someone
> else?

Probably not.  If it was that smart, it would know that an IP had
already failed to be infested and not try it again.  From what I have
read on the CR subject, the worm doesn't log where it has been.  This
may be a "security" feature for it's children, though.

> 
> Even better would be to log the IP address, do a dig on the results
> and send an abusive message to the administrator of the site it
> resolves to (if available) or the admin for the IP block.
> 
> Jason Vaughan
> Netergy.com
> --
>   ---------------------------------------------
> Jason Vaughan
>         Netergy.com Limited
>         Studio 1B, 101 Farm Lane, London SW6 1QJ
>         T: 020 7610 1010 - F: 020 7610 1551
>         http://www.netergy.com
>         http://www.anynames.com
>   ---------------------------------------------
> 
>   IMPORTANT LEGAL NOTICE:
>   This e-mail is strictly confidential and is intended solely for the
> person or organisation to whom it is addressed. It may contain

Damn.  I have to delete it now...

> privileged and confidential information and if you are not the
> intended recipient, you must not copy, distribute or take any action
> in reliance on it. If you have received this communication in error,
> please advise us by e-mail and delete the file from your system.
> 
>   If you contact us by e-mail, we will store your name and address to
> facilitate communications.

Well, today after seeing your email I wrote a little script to do this
(haven't read any Cobalt emails for a bit).

There are configurable options at the beginning to change a few
preferences as need.
Log file names, paths, and rotated log file ``cat'' routine may need
changed for non-Cobalt products.

If anyone has any questions on it, email me at jwoods@xxxxxxxxxxxxxxxx

I will not add email options into the script, but you can if you so
desire.

Here it is:

--- start of file ---
#!/bin/sh
#
# /u/HDWR/bin/cr-snd
#
# Code Red search and destroy (well, block)
#
# usage: cr-snd [option]
# options:
# -cron  tells program not to "tail -f" log file
#        This is good for cron scheduled checking of log files.
# -live  tells program to only "tail -f" log file (interactive with log
file)
#        This is good for startup script (rc.d) checking of log files.
#
# With no options, the program runs both "cron" and "live" modes.
#
# I choose to DENY all access to a computer infected with CodeRed mostly
#   because who knows what it other packages have been installed on it.
#
# If you actually have a file on your site called ``default.ida'',
#   do NOT use this or you will effectively block all IPs requesting it.
# This script will work nicely from /etc/rc.d/rc.local (or some other
startup
#   script).  Make sure to run it in the background (/path/cr-snd &).
# It will also run nicely from cron as a scheduled job.
#   ie, 0 * * * * /path/cr-snd -cron
#
# NOTE:  This was written for a Cobalt Raq3i.
#        Other Linux/web server installs will most likely need
modifications.
#
# Author:       Jason Woods <jwoods@xxxxxxxxxxxxxxx>
# Copyright:    2001 Oakland Corporation
# Created:      08-22-2001
# Last mod:     08-22-2001
# Version:      1.00

# ALLOW is for special cases in which you want to NEVER block the IPs
# use either IPs or DNS PTR record names (DNS had better resolve!)
# ie, ALLOW="my-router.foo.bar my-nat.foo.bar 1.2.3.4 10.10.10.10"
 ALLOW=""

# which word in log file line is the IP address to block
 IP_word=2

# log data? 0-no 1-yes
 LOG_data=1

# log file name to store denyed IPs
 LOG_file=/var/log/codered

# log file creation umask (whatever you want, I don't want non-root to
see it)
 LOG_umask=077

# some funtions to make life easier
  get_log_input() {
    # it just makes sense to run get_cr_ip in bulk here
    # grab data from old log file
    [ -s /home/log/httpd/access ] && \
      cat /home/log/httpd/access | get_cr_ip
    # grab data from current log file
    [ -s /home/log/httpd/access.1.gz ] && \
      zcat /home/log/httpd/access.1.gz | get_cr_ip
  }
  get_cr_ip() {
    # sort out what we want from data
    #   only lines with default.ida in them,
    #   grab the IP_word word in line (requesting IP)
    grep 'default.ida' | cut -f$IP_word -d' '
  }
  run_check() {
    [ ! "$1" = "-noclean" ] && CUR_ip="`echo \"$CUR_ip\" | get_cr_ip`"
    # if CUR_ip is not null, we have a winner
    if [ -n "$CUR_ip" ] ; then
      # default to deny access to IP
      DENY=1
      deny_check_ip
      # check to see if IP still tests as DENYable
      # if so, do another test
      [ "$DENY" = "1" ] && deny_check_name
      # if IP is still DENYable, DENY it.
      [ "$DENY" = "1" ] && deny_ip
    fi
  }
  deny_check_ip() {
    for CUR_test in $ALLOW
    do
      # if IP is allowed, do not deny it
      [ "$CUR_test" = "$CUR_ip" ] && DENY=0
    done
  }
  deny_check_name() {
    # get DNS PTR record name
    CUR_name="`nslookup $CUR_ip 2> /dev/null | sed -n '/Name:/p'`"
    CUR_name="`echo $CUR_name | cut -f2 -d' '`"
    for CUR_test in $ALLOW
    do
      # if DNS address name is allowed, do not deny it
      [ "$CUR_test" = "$CUR_name" ] && DENY=0
    done
  }
  deny_ip() {
    # make sure IP isn't already in ipchains as DENYed
    if [ -z "`ipchains -nL | grep \`echo $CUR_ip | sed 's/\./\\./g'\` |
\
      grep DENY`" ] ; then
      # block IP via IPchains (or replace with whatever you use)
      ipchains -A input -s $CUR_ip -d 0.0.0.0/0 -j DENY
    fi
    [ "$LOG_data" = "1" ] && log_data_to_file
  }
  log_data_to_file() {
    # make sure umask is set
    [ -z "$LOG_umask" ] && LOG_umask=077
    # create log file if it doesn't exist
    [ ! -s "$LOG_file" ] && (umask $LOG_umask ; touch "$LOG_file")
    # log ip (and DNS address name if found) into log file
    #   if entry is not already in it
    [ -z "`grep \`echo $CUR_ip | sed 's/\./\\./g'\` \"$LOG_file\"`" ] &&
(
      printf "%-15.15s" "$CUR_ip"
      if [ -n "$CUR_name" ] ; then
        echo " $CUR_name"
      else
        echo
      fi
    ) >> "$LOG_file"
  }
# end functions

# if LOG_file is not set, don't attempt to log
[ -z "$LOG_file" ] && LOG_data=0

# if IP_word is not set, default to 2
[ -z "$IP_word" ] && IP_word=2

# if not running in "live" mode, do the following
if [ ! "$1" = "-live" ] ; then
  # grab Code Red previously logged data
  # remove duplicate logged IPs via sort
  for CUR_ip in `get_log_input | sort -u`
  do
    # run the DENY check routine without cleaning input
    run_check -noclean
  done
fi

# if not running in cron mode, do the following
if [ ! "$1" = "-cron" ] ; then
  # no need to check IPs for duplicates here, other parts of the
  #   script make sure not to log or ipchain duplicate IPs
  tail -f /home/log/httpd/access | while read CUR_ip
  do
    # run the DENY check routine
    run_check
  done
fi
--- end of file ---

-- 
Jason Woods
IT Director
Oakland Corporation
414 Broad Street
Story City, IA 50248
Phone: 515-733-5114
Fax  : 515-733-4821
Email: jwoods@xxxxxxxxxxxxxxx
References:
- [cobalt-users] Code Red
  - From: Jason Vaughan
Prev by Date: [cobalt-users] SSH How-to
Next by Date: RE: [cobalt-users] Web Server Down!
Previous by thread: Re: [cobalt-users] Code Red
Next by thread: Re: [cobalt-users] Code Red
Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index