[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] OT: Block Nimda/Code Red resource usage on Cobalt servers
- Subject: [cobalt-users] OT: Block Nimda/Code Red resource usage on Cobalt servers
- From: "Andrew Kinney" <andykinney@xxxxxxxxxxxx>
- Date: Fri Sep 21 09:46:57 2001
- Organization: Advantagecom Networks, Inc.
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hello,
I tried sending this on the morning of the 18th, but I never saw it
come through on the list, so I'm sending it again.
Though code red and other similar worms don't infect Cobalt
servers, the little script below (watch out for line wraps - each line
begins with echo or kill) will patch a potential bandwidth denial of
service attack that affects any apache based system.
On the morning of the 18th, a code-red-like worm started scanning
port 80 on all of our systems (nearly all cobalt) for some NT/IIS
related files. As a result of the huge volume of 404 errors, we
started having bandwidth problems and packet processing (high
volume of small packets) issues on our routers and bandwidth
managers. After some digging, we came up with the following
partial fix. It reduces the amount of bytes and packets sent in
response to the requests to the web server generated by these
worms. On our network, it reduced traffic enough that we no longer
have packet loss and significantly reduced the bandwidth usage
generated by the worm.
We also used grep on our web logs and came up with over 1300
Microsuck crap servers to block on our firewall. That has helped
tremendously.
To apply the "patch" (of sorts), telnet into your server and "su" to
root. Then, copy/paste the text into the telnet session. It adds
some directives to the access.conf and rereads the apache config
files.
***Disclaimer:***
Use this at your own risk and expense. Don't ask me about how to
do things or how to use this. In other words, if you don't know what
you're doing (or even if you do), don't send any email to me
directly. I'm supplying this information to be helpful, not to be
inundated with questions and comments about it. If you have a
question or comment, send it to the list - if the list flames you
because of your comment or question, that is also not my problem.
echo '' >> /etc/httpd/conf/access.conf
echo '# deny all the code red related crap' >> /etc/httpd/conf/access.conf
echo '<Location ~ ".*root.exe">' >> /etc/httpd/conf/access.conf
echo 'deny from all' >> /etc/httpd/conf/access.conf
echo 'ErrorDocument 403 " ' >> /etc/httpd/conf/access.conf
echo '</Location>' >> /etc/httpd/conf/access.conf
echo '' >> /etc/httpd/conf/access.conf
echo '<Location ~ ".*cmd.exe">' >> /etc/httpd/conf/access.conf
echo 'deny from all' >> /etc/httpd/conf/access.conf
echo 'ErrorDocument 403 " ' >> /etc/httpd/conf/access.conf
echo '</Location>' >> /etc/httpd/conf/access.conf
echo '' >> /etc/httpd/conf/access.conf
echo '<Location ~ ".*default.ida">' >> /etc/httpd/conf/access.conf
echo 'deny from all' >> /etc/httpd/conf/access.conf
echo 'ErrorDocument 403 " ' >> /etc/httpd/conf/access.conf
echo '</Location>' >> /etc/httpd/conf/access.conf
echo '' >> /etc/httpd/conf/access.conf
kill -HUP `cat /var/run/httpd.pid`
Sincerely,
Andrew Kinney
President and
Chief Technology Officer
Advantagecom Networks, Inc.
http://www.advantagecom.net
509-522-3696, extension 101