nimda attacks

[anand]

Hello everyone!

Recently over the past few weeks i have been having restless nights because of nimda virus. Yes my box is on linux and nimda has no effect on linux but still the overhead created by nimda on apache on my box is really massive. I get atleast 5-10 attacks per second on apache on my box with nimda. Now i tried to go through various posts here and came to the best conclusion to include the following inside my httpd.conf

RedirectMatch Permanent ^/(.*cmd\.exe.*)$ http://127.0.0.1/
RedirectMatch Permanent ^/(.*cmd\.exe*.*)$ http://127.0.0.1/
RedirectMatch Permanent ^/(.*root\.exe.*)$ http://127.0.0.1/
RedirectMatch Permanent ^/(.*root\.exe*.*)$ http://127.0.0.1/
RedirectMatch Permanent ^/(.*default\.ida.*)$ http://127.0.0.1/
RedirectMatch Permanent ^/(.*default\.ida*.*)$ http://127.0.0.1/

Now i know this is not legal etc but i had no choice my machine was getting too much of lead. Apache itself was taking upto 40% of resources. The situation improved and it went on. After 3-4 days the situation reverted back to the same old, apache again started to take too much resouces on server. After checkup and searching on the net i added the following to the httpd.conf

Redirect /scripts http://127.0.0.1
Redirect /c http://127.0.0.1
Redirect /msadc http://127.0.0.1
Redirect /MSADC http://127.0.0.1
Redirect /_mem_bin http://127.0.0.1
Redirect /winnt http://127.0.0.1
Redirect /d http://127.0.0.1

Still the situation didn't change.

I also came across the solution which was recommended by itf here at cpanel forums. Using iptables with string matching and droping them. The following i came when searching on the net for answers.

iptables -t filter -A INPUT -i eth0 -p tcp -d YOUR_IP --dport http -m string --string &/default.ida?& -j DROP
iptables -t filter -A INPUT -i eth0 -p tcp -d YOUR_IP --dport http -m string --string &.exe?/c+dir& -j DROP
iptables -t filter -A INPUT -i eth0 -p tcp -d YOUR_IP --dport http -m string --string &.exe?/c+tftp& -j DROP

Everywhere the above was being recommened to stop nimda on the servers. Now when i try to run any of the above chains i get the following errors:

iptables v1.2.5: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory

Again went the session of searching on the net and it revealed that the particular patch has to be installed inside the kernel and then only the string option would work.

Now my probs is right now i can't go for a kernel upgrade as we have some real heavy traffic on our server and it can't be put down for quite time to come. Is there any other solution / rpm available to get this string option available inside iptables ?? I searched on rpmfind.net and found that the iptables rpm shipped with suse contained the string option already. When i tried to download the rpm i got a not found page. So any solutions guys ??

Would appreciate any help in this matter as its driving me nuts.

regards,

Anand

 

[anand]

There is more to what i came across on net inside varios forums, regarding using iptables to ban nimda.

# Block Code Red
iptables -I INPUT -j DROP -p tcp -m string --string &cmd.exe&

# Block Nimda
iptables -I INPUT -j DROP -p tcp -m string --string &root.exe&
iptables -I INPUT -j DROP -p tcp -m string --string &default.ida&


Basically the above doesn't need the ip address.

regards,

Anand

 

[anand]

I also found this inside the forums posted by shaun.

RedirectMatch ^.*\.(dll|ida).* & dev/null
RedirectMatch ^.*\cmd\.* & dev/null
RedirectMatch ^.*\root\.* & dev/null


Unfortunately this also doesn't seem to bring down the apache load and logs keeps on filling up.

regards,

Anand

 

[itf]

I wrote about these attacks in another thread, click here to go to that thread:

http://forums.cpanel.net/read.php?TID=5583&page=2#24310

However, I add some additional instructions here:

As you can see in one of my posts in that thread I wrote String Matching Feature of iptables is a patch.

Anand,

But how to solve your problem: please read this:

If you are under DDoS attacks (by Kiddies attacks) and there is a high load due to these attacks you can stop Apache (and kill child processes) then apply that Experimental patch String Matching for iptables.

It depends on your current Kernel, if in example you use Kernels which are offered by Redhat you have to download and install Kernel-&version&.src.rpm (source code), then compile the Kernel and compile in iptables string matching experimental patch. (during kernel configuration)
i.e. ftp://updates.redhat.com/7.3/en/os/SRPMS/kernel-2.4.18-18.7.x.src.rpm

[b:fcfad0bd8b]Attention:[/b:fcfad0bd8b] If you want to use the Kernel source from http://www.kernel.org (original Kernel useful in case of i.e [b:fcfad0bd8b]GRSecurity[/b:fcfad0bd8b] installation) make sure you know about latest security patches, if you are not very experienced in security and Linux it is recommended to use SRPM packages from Redhat

[b:fcfad0bd8b]Attention:[/b:fcfad0bd8b] if you have Kernel source directory on your system, please make a backup before installing new source code.

[b:fcfad0bd8b]Attention:[/b:fcfad0bd8b] If this is the first time that you compile in the Kernel, don’t try on a production server, first make your experiences on a test environment, or ask your NOC’s technical staffs to compile it for you.

[b:fcfad0bd8b]Notice:[/b:fcfad0bd8b] The best practice for using iptables string matching feature is a “Fronted Firewall”, as Kernel should inspect all incoming packets for string matching it will result in high loads if you have a high traffic server, thus it’s not recommended to use String matching on the same server that you offer your normal services

[b:fcfad0bd8b]There are some other softwares out there that offer string matching but beware of them, some of them result in very high loads.[/b:fcfad0bd8b]

The best method for inspecting incoming packets for string matching is iptables experimental string matching patch, which is compiled in with the Kernel and is the fastest method for string matching and results in lower loads.

[b:fcfad0bd8b]However there is another method for preventing DDoS by Kiddies Attack, read option two of bellow quotation carefully[/b:fcfad0bd8b]
I wrote in another thread that I referred to it at the beginning of this post, and now quote from my writing in that thread here:

click here to go to my original post:
http://forums.cpanel.net/read.php?TID=5583&page=2#24310
[quote:fcfad0bd8b][i:fcfad0bd8b]Originally Posted by ITF[/i:fcfad0bd8b]
....
[b:fcfad0bd8b]But what should do against these Kiddie attacks:[/b:fcfad0bd8b]
There are two ways for protection: you can use each one or both together

1. Using String Matching feature of iptables (patch): by creating a chain rule for coming packets if they have that string which you defined, the connection will be dropped. However Kernel should inspect all incoming packets which causes high loads in system (cpu usage) the best practice for this feature is a [b:fcfad0bd8b]Fronted Firewall[/b:fcfad0bd8b] it means putting a firewall box in front of your current box/network, dedicated for firewall protection.
[b:fcfad0bd8b]
2. Using Redirect Feature of Apache:[/b:fcfad0bd8b] but not redirecting to where they are coming from, it is recommended to redirect them to a local script which grabs IP address of attacker and the other script which processes the results and blocks the sender by putting IPs in /etc/hosts.deny or setting up an ipchains/iptables deny rule
However it is recommended to unblock those IPs after a couple of days, I'm sure you need visitors.

[b:fcfad0bd8b]Attention:[/b:fcfad0bd8b] Never forget to exempt your server IPs and your local IPs (using for remote access) from above rules, otherwise a hacker can block your access to your server (by using above rules).

....
[/quote:fcfad0bd8b]

P.S. Unfortunately it’s beyond the size and time of a post to write every nooks and crannies about string matching and compiling in the Kernel. I wrote a document in another site but will publish a how-to soon.

 

[anand]

[quote:586c3312ea][i:586c3312ea]Originally posted by itf[/i:586c3312ea]

I wrote about these attacks in another thread, click here to go to that thread:

http://forums.cpanel.net/read.php?TID=5583&page=2#24310

P.S. Unfortunately it’s beyond the size and time of a post to write every nooks and crannies about string matching and compiling in the Kernel. I wrote a document in another site but will publish a how-to soon.
[/quote:586c3312ea]

I already know the kernel compile way out for the string option inside iptables. I actually mentioned inside my post that i can't pull down my server now for anything rite now. I wanted to know if i could get some other way to do it ??? Anyways even if i need to get a kernel recompile i would ask my noc people as i am not very sure if i can do it myself. Mine is a grsecurity patch kernel.

Btw where did you write the document, i mean which site, i would still refer to that website.

regards,

Anand

 

[itf]

[quote:408953930a][i:408953930a]Originally posted by anand[/i:408953930a]


I already know the kernel compile way out for the string option inside iptables. I actually mentioned inside my post that i can't pull down my server now for anything rite now. I wanted to know if i could get some other way to do it ??? Anyways even if i need to get a kernel recompile i would ask my noc people as i am not very sure if i can do it myself. Mine is a grsecurity patch kernel.

Btw where did you write the document, i mean which site, i would still refer to that website.

regards,

Anand[/quote:408953930a]
did you read my last post completely, I wrote another method too , please see above post

 

[itf]

[quote:6ee43682cf][i:6ee43682cf]Originally posted by anand[/i:6ee43682cf]


I already know the kernel compile way out for the string option inside iptables. I actually mentioned inside my post that i can't pull down my server now for anything rite now. I wanted to know if i could get some other way to do it ??? Anyways even if i need to get a kernel recompile i would ask my noc people as i am not very sure if i can do it myself. Mine is a grsecurity patch kernel.
[/quote:6ee43682cf]
[b:6ee43682cf] there is another method for preventing Kiddies Attacks from becoming a DDoS[/b:6ee43682cf] instead of iptables string matching (experimental patch)
As I wrote before in two threads

Using Redirect Feature of Apache: but not redirecting to where they are coming from, it is recommended to redirect them to a local script which grabs IP address of attacker and the other script which processes the results and blocks the sender by putting IPs in /etc/hosts.deny or setting up an ipchains/iptables deny rule
However it is recommended to unblock those IPs after a couple of days, I'm sure you need visitors.

[b:6ee43682cf]Attention:[/b:6ee43682cf] Never forget to exempt your server IPs and your local IPs (using for remote access) from above rules, otherwise a hacker can block your access to your server (by using above rules).


[quote:6ee43682cf][i:6ee43682cf]Originally posted by anand[/i:6ee43682cf]

Btw where did you write the document, i mean which site, i would still refer to that website.

regards,

Anand[/quote:6ee43682cf]
it is a commercial website (I don't like to advertise) if you need the link contact me by PM,

 

[anand]

[quote:9548d8ba4a][i:9548d8ba4a]Originally posted by itf[/i:9548d8ba4a]


it is a commercial website (I don't like to advertise) if you need the link contact me by PM,[/quote:9548d8ba4a]

I send a PM also but no replies ???

regards,

Anand

 

[itf]

[quote:8daee7b6dc][i:8daee7b6dc]Originally posted by anand[/i:8daee7b6dc]

[quote:8daee7b6dc][i:8daee7b6dc]Originally posted by itf[/i:8daee7b6dc]


it is a commercial website (I don't like to advertise) if you need the link contact me by PM,[/quote:8daee7b6dc]

I send a PM also but no replies ???

regards,

Anand[/quote:8daee7b6dc]
I receive a lot of PMs in this forum but replying to all of them is impossible due to a restriction on this forum
i.e. I got this error message :

&An error occurred while sending the message
You have reached your maximum message limit for today, please wait until November 18 2002, 22:56.&

Please click on my profile button at the bottom of this post and contact me by using other methods.