Eliminar el virus nimbda del servidor apache

Por Paco Aldarias Raya

Impreso: Jun 13, 2004

Contents

1  Introducción

2  Como se propaga

217-127-85-207.uc.nombres.ttd.es - - [02/Jun/2002:06:28:15 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 6 

217-127-85-207.uc.nombres.ttd.es - - [02/Jun/2002:06:28:19 +0200] \
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 6 

217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:51:59 +0200] \
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 6 

217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:52:09 +0200] \
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 6 

217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:52:19 +0200] \
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 6 

217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:52:29 +0200] \
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 6 

217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:52:37 +0200] \
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 6 

217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:52:45 +0200] \
"GET  /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 6 

217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:52:54 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 6 

217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:53:02 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir\
 HTTP/1.0" 404 6 
 
217-127-250-172.uc.nombres.ttd.es - - [02/Jun/2002:17:53:11 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 6 

3  Como solucionarlo

4  Como se filtran las ips

++++++Inicio script +++++++++++++++++++++++++++++++++ 
echo [*] Elimnado Nimbda 
echo [+] Por Paco Aldarias 
echo [+] Realizado el 8.6.02 
echo [+] /etc/nat/nimba.txt 
 
fl=/var/log/httpd/access_log 
fi=/etc/nat/intrusos.txt 
 
for i in `grep msadc $fl | cut -f1 -d' ' | sort | uniq | xargs echo`; do 
        echo $i >> $fi 
        echo [+] Pasado $i a $fi 
done 
 
for i in `grep default.ida $fl | cut -f1 -d' ' | sort | uniq | xargs echo`; do 
        echo $i >> etc/nat/intrusos.txt 
        echo [+] Pasado $i a $fi 
done 
 
ft=/etc/nat/temp.txt 
echo [*] Quitando repetidos de $fl 
for i in `cat $fi | sort | uniq | cut -f12 -d ',' |  xargs echo`; do 
        echo $i >> $ft 
        echo [+] Pasando $i a $ft 
done 
cp $ft $fi 
cat $fi 
rm $ft 
++++++++++++++++++++ fin script +++++++++++++++++++ 

5  Como hacer q el cortafuegos cierre el paso a esas maquinas

++++++++++++++++++++++ inicio parte del script /etc/rc.d/nit.d/nat ***************** 
fich=/etc/nat/intrusos.txt 
cf=/sbin/iptables 
idsl=eth0 
echo [*] Bloqueando maquina no confiables fichero $fich 
 
for linea in $(cat $fich); do 
        echo [-] $cf -A INPUT -i $iadsl -s $linea -j DROP; 
        $cf -A INPUT -i $iadsl -s $linea -j DROP; 
done 
++++++++++++++++++++++++ fin script ++++++++++++++++++++++++++++++++++++++++++ 

6  Text del virus nimba

Index (showing section)