No More Worms

Assuming you are running apache and you are tired of the constant onslaught of the various worms on the loose now, I have a couple of suggestions.

My main problem? By default, Apache uses a 284-byte file for the 400 error message, and uses a 300-byte file for the 404 error message. Assuming you're not doing anything else to stop these attempts at the gateways, your server(s) are likely wasting bandwidth & cycles serving these error messages back to the worms. So...

AliasMatch (.*)/system32(.*) "/www/worm.html"
AliasMatch (.*)/Admin.dll "/www/worm.html"
AliasMatch (.*)/root.exe "/www/worm.html"
AliasMatch (.*)/cmd.exe "/www/worm.html"
AliasMatch (.*)/default.ida "/www/worm.html"
AliasMatch (.*)/httpodbc.dll "/www/worm.html"

(in httpd.conf or etc config file)

You may need to add "options MultiViews" to each of your directories, unless you want to enter the AliasMatch series for each vhost on your system.

Then "touch /www/worm.html" to create a zero-byte response file (as opposed to the 280-300 byte default error messages). I'm using an eight-byte worm.html: http://jedinite.com/worm.html - I like the idea of presenting a message, even if the worms aren't paying attention... :) This also keeps your error_log(s) from filling up with 404 messages, and instead just throws a 200 OK response in your access logs.

I got tired of running my "Nimda/Code Red strike-back script", because so many of the machines that were attacking me were so full of worm processes that they wouldn't accept new connections (including my inbound "strike back" connection) and the TCP timeouts were slowing down my server. But if you wanted to this is also a good way to point apache to that script.

As an alternative, if you don't mind eating your own bandwidth/processing power, you can send the requests elsewhere, with something as easy as:

RedirectMatch (.*)/system32(.*) http://support.microsoft.com 
RedirectMatch (.*)/Admin.dll http://support.microsoft.com                     
RedirectMatch (.*)/root.exe http://support.microsoft.com
RedirectMatch (.*)/cmd.exe http://support.microsoft.com
RedirectMatch (.*)/default.ida http://support.microsoft.com
RedirectMatch (.*)/httpodbc.dll http://support.microsoft.com

If you have no need to service .exe, .dll, or .ida calls, you can handle them all with one redirect:

RedirectMatch ^.*\.(exe|dll|ida).* http://support.microsoft.com

Thanks to Dvicci (dvicci_at_reckoning_dot_org), here is a more elegant implementation in perl:

# in your httpd.conf file

{
        package Apache::MSTD;
        use Apache::Constants qw(REDIRECT);
        sub handler {
                my $r = shift;
                if ($r->uri() =~
/root\.exe|cmd\.exe|default\.ida|system32|Admin\.dll|httpodbc\.dll/i) {
                        $r->header_out( Location => 'http://support.microsoft.com/');
                        return REDIRECT;
                }
                return OK;
        }
}

PerlPostReadRequestHandler Apache::MSTD

Just for kicks, I config'd analog to include the various worm attacks in its reports. Check out my default vhost here: http://jedinite.com/analog/

jedinite_at_jedinite_dot_com