On Tue, Nov 06, 2001 at 07:43:56PM -0700, Brett Glass wrote: > Just thought the denizens of the Bugtraq list might be interested in a > quick fix for Apache which instantly blocks Nimda (all variants), Code > Red, sadmind/IIS, and kin. > To quickly blackhole the worms, just add the following to your logging > configuration in Apache's httpd.conf file. > SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda > CustomLog "|exec sh" "route -nq add -host %400,404a 127.0.0.1 -blackhole" env=nimda This is very cool stuff. So I can get someone to view an HTML page|email with code like <img alt="" height="0" width="0" hspace="0" vspace="0" src="http://brettglass.example.com/winnt/system32/cmd.exe";>, I can easily prevent them, or anyone else coming from the same space, from reaching your Web server. Get some AOL users to read the messages and bye-bye to all the AOL proxy server traffic. Get lots of usenet "victims", and even if they don't care about your Web site, man, your routing table suddenly looks bad. Very (un)cool. -Peter P.S. If that exec sh route thing actually works, does that mean your httpd is running as root? Or is "route" a SUID wrapper, so the httpd user only has the ability to wreck your routing table? Just curious.
