Topic: Are your servers getting hits from NIMDA?

[Patrick Basile]

Hello everyone,

First, I know that my SME V5 server is secure from Nimda, since it's running Apache - so please don't just respond saying "Don't worry, that's an IIS thing." (Even though, yes it is an IIS problem and yes I'm happy that I don't have to worry about it.)

Okay, so now my question:  Are your e-smith/SME servers being hit with as much Nimda as one of mine - 5,863 hits this week!  Here's my link to show you if you're interested:  http://64.3.180.188/apache-hits.php

(Thanks to Darrell for creating this, and thanks to Dan for showing me how this could be done.  It looks like Dan's seeing Nimda hits on his server as well - 1,176.

Based on what I know about Nimda, the compromised IIS machines will attempt to hit a randomly generated IP address.  If this is true, wouldn't most systems see roughly the same amount of Nimda hits?  With that number increasing/decreasing at roughly the same amount across the board as more IIS machines became compromised or were patched?

I'm more curious about other's experiences, and your thoughts on the whole thing.  Has anyone attempted to contact their ISP for help - or (my heavens) tried to locate/contact the individual or business with compromised machines?

Bottom line - I'm shocked by the sheer number of hits my server has seen just this week.  Last week it was around 6000 total.  Based on the amount of hits so far this week, it will be even higher.  So Nimda is alive and well, and appears to be spreading again!

Regards,
Patrick

[sage]

so how do I install this  and i will let you know about my hits

[Patrick Basile]

Sage,

Get the file apache-hits.zip at: http://www.myezserver.com/downloads/mitel

Unzip the contents.

Place the apache-hits.php file in: /home/e-smith/files/primary/html

That's all you need to do.

Then browse to http://yourdomain/apache-hits.php and you will see the hits.

Let me know how that works for you.  Thanks.

Regards,
Patrick

[SteveB]

So far this week my server has received 1045 Nimda hits, zero code red hits and zero code red II hits. By the way I am on a dialup with a continuous connection only during the 8:00 AM to 6:00 pm. Each day I have a different IP address. Last week I had over 900 nimda hits.

[sage]

I have 686 hits.  I think that the worm only looks for servers to infect on the same subnet, not the whole internet.  not sure though, it could be one of the other worms.

Sage

[Rob Wilkins]

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/43DenyCustom

    /sbin/ipchains --append input -p all -s 207.34.111.0/24 -d $OUTERNET -j ACCEPT
    /sbin/ipchains --append input -p all -s 207.0.0.0/8 -d $OUTERNET -j denylog

This works for me.  I was getting a lot of denied access also. So I allowed only 207.34.111.0 and blocked the rest of 207.

he...he...he, call me evil, but i figure i'll wait awhile, maybe a year, then I'll try opening it again.  I figure, if you like to hack, I'll block your whole net.

[Charlie]

I can't get this to work in version 5.12. I just get a blank page. Any ideas?

Patrick Basile wrote:
>
> Sage,
>
> Get the file apache-hits.zip at:
> http://www.myezserver.com/downloads/mitel
>
> Unzip the contents.
>
> Place the apache-hits.php file in:
> /home/e-smith/files/primary/html
>
> That's all you need to do.
>
> Then browse to http://yourdomain/apache-hits.php and you will
> see the hits.
>
> Let me know how that works for you.  Thanks.
>
> Regards,
> Patrick

[Dubois]

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/43DenyCustom

/sbin/ipchains --append input -p all -s 207.34.111.0/24 -d $OUTERNET -j ACCEPT
/sbin/ipchains --append input -p all -s 207.0.0.0/8 -d $OUTERNET -j denylog


did you have to define $OUTERNET, or is this acceptable to put into the templete.

[Dubois]

Oops....nevermind, got it.

[Dubois]

i have tried entering those ipchains commands, and i am still getting hit by the same server, over and over again.  (i did do a /sbin/e-smith/signal-event remoteaccess-update).   is there something I'm missing?

[Sue Robertson]

Sorry for my ignorance as a newbie.

I've downloaded & unzipped the relevant apache-hits file onto my W2K
desktop.  I can access my E-smith via putty but don't know how to get the
file from windoze into the Linux file system.

Any help greatly appreciated.

Sue Robertson

[Terry Brummell]

You need a secure copy program, also know as SCP, I use the trial version of PenguiNet for my SCP needs.  You can get it at download.com.

Sue Robertson wrote:
>
> Sorry for my ignorance as a newbie.
>
> I've downloaded & unzipped the relevant apache-hits file onto
> my W2K
> desktop.  I can access my E-smith via putty but don't know
> how to get the
> file from windoze into the Linux file system.
>
> Any help greatly appreciated.
>
> Sue Robertson

[Sue Robertson]

Thanks for that.  I've copied the file into the appropriate location with the help pf Penguinet.  All that shows when I look at it through the browser http://203.31.252.245/apache-hits.php is the following etc...


 $file = "/var/log/httpd/access_log";
 $fh = fopen ("$file","r") or die ("Cannot find access_log!");
 while (!feof ($fh))
 {
 $line = fgets ($fh, 4096);
 if (ereg ("default.ida",$line))
  {
  if (ereg ("default.ida\?XXX",$line)) $counter2++;
  if (ereg ("default.ida\?NNN",$line)) $counter1++;
  }
 if (ereg ("c\+dir",$line)) $counter3++;
 }
 fclose ($fh);

What have I done wrong?

TIA
Sue

[Terry Brummell]

This is where it gets complicated.  I haven't changed anything in my default intsallation (as far as I know) and php works fine (ie: phpsysinfo works for me in my primary ibay) without enabling anything.  I have seen where ppl have not been able to make php work by default in the primary ibay, I don't know what I have done different, but php does work in my primary site without changes....

Sue Robertson wrote:
>
> Thanks for that.  I've copied the file into the appropriate
> location with the help pf Penguinet.  All that shows when I
> look at it through the browser
> http://203.31.252.245/apache-hits.php is the following etc...
>
> >
>  $file = "/var/log/httpd/access_log";
>  $fh = fopen ("$file","r") or die ("Cannot find access_log!");
>  while (!feof ($fh))
>  {
>  $line = fgets ($fh, 4096);
>  if (ereg ("default.ida",$line))
>   {
>   if (ereg ("default.ida\?XXX",$line)) $counter2++;
>   if (ereg ("default.ida\?NNN",$line)) $counter1++;
>   }
>  if (ereg ("c\+dir",$line)) $counter3++;
>  }
>  fclose ($fh);
>
> What have I done wrong?
>
> TIA
> Sue

[Tom Veitch]

I copyed your code you had and it worked

http://144.137.156.151

[Sue Robertson]

Thx for all your help.  I'll give up for now, but at least I've learned something.