Journal fishdan's Journal: stupid Nimbda!
I have a fairly typical set up at home: 233pII running rh7.3 in front of my hub, and a buncha machines behind it, including my web server. I got tired of looking in my log files and seeing
"GET
from people/machines who are STILL infected with Nimbda or
GET
from all the morons still infected by Code Red.
So, I wrote a program that runs on the web server, that scans the web logs for IPAddresses that have sent bad requests (for my definition, any request to my web server that contains "winnt", "root", or "default.ida" is bad). It then contacts another program on the firewall machine, via TCP (don't hassle me about that, the firewall machine only accepts on that port on the internal interface). The firewall machine program then executes a "/sbin/iptables -A INPUT -s "+badIPAddress+" -j DROP", which prevents any further traffic from that ip address from reaching the web server. (I've posted the code for these programs to my journal, though there is nothing there likely to be of any interest to the sophsticate)
The thing that I find nutty is that after turning this on, I found that there were about 1100 machines sending crap like this to my machine over the last 15 days. I have no idea if traffic like this to my home machines is typical, but I would suspect that it's actually much less than what is out in the world (though perhaps it's more because I am on a cable modem subdomain).
My questions to
- How much crap do you still see from nimbda/code red
- Are you doing anything about it? I must confess that knowing that these machines are vulnerable to these exploits makes it difficult to retain my white hat all the time. Must we just endure these slings and arrows of outrageous fortune? Contacting the machine admins is essentially impossible because most of these machines are on a cable providers network. IS there something better that I can do besides filtering out the requests via IPTables?
stupid Nimbda! More Login
stupid Nimbda!
Slashdot Top Deals