Apache CodeRed Countermeasures with PHP: codeRedKiller!
Aug 19th, 05:12 UTC
CodeRed is a problem for all system administrators and webmasters, not
just those using IIS. It takes time and energy to respond even if its
just a 404. codeRedKiller is a PHP and bash script combo that automatically
processes and drops requests from offending CodeRed servers.
codeRedKiller is a simple concept that truly can help conserve resources.
It saves time and energy (bandwidth and cpu power, etc) by automatically identifying and dropping requests from
CodeRed infected hosts. Its goals are to stop CodeRed requests to
apache webservers and to do it without requiring more effort than a typical 404 error.
codeRedKiller achieves these goals with a straightforward PHP script (included) that
masquerades as the "defualt.ida" file that CodeRed itself searches out.
If a request is made to this file (a PHP script in this case) it simply
records the IP address of the offending host (the requestor) to a file.
That file is then parsed by a shell script (bash in this case, also included)
that simply reads the offending IP addresses and adds a rule to a firewall
mechanism to DENY any further requests from the offending hosts (ipchains in this case, but
very easily adapted.)
The shell script is then set in cron and at a predetermined interval automatically
grabs the file of offending hosts, drops them and cleans out the file. Once it is
setup it runs on its own and continues to drop offending hosts.
codeRedKiller is available from screaming-penguin.com
and uses common open source technologies (PHP, bash, ipchains, cron.) Its free to use and edit as
you see fit (and no warranty of any kind is expressed or implied.)
For more info and an example of the source check the original TotSP story:Apache CodeRed Countermeasures with PHP: codeRedKiller!
(Submitted by Charlie Collins of Screaming-Penguin.com)
|
