it's a new worm. Below are my countermeasures put in a virtual server which is accessible by ip only.
- script called scripts with a .htaccess file like this:
<Files scripts>
ForceType application/x-httpd-php
</Files>
<Files msadc>
ForceType application/x-httpd-php
</Files>
<Files _vti_bin>
ForceType application/x-httpd-php
</Files>
_vti_bin and msadc are symlinks to scripts.
this is the body of scripts:
<?
/**
This script will block any ip address which tries to exploit
known IIS bugs. The ip will be blocked for this web site by
ip only (so ets.dhs.org will still work) and it will add the
ip to the hosts.deny file
*/
set_time_limit(0);
// Block the ip from http
error_log("Deny from $REMOTE_ADDR\n", 3, '/var/www/iponly/.htaccess');
// Add to user readable log
error_log(date("M d Y H:i.s") . " - $REMOTE_ADDR blocked because of $REQUEST_URI
\n", 3, "/var/www/iponly/blocklog");
// Block the ip from server
error_log("All: $REMOTE_ADDR\n", 3, '/etc/hosts.deny');
error_log(smbclient //$REMOTE_ADDR/C$ -N -I $REMOTE_ADDR < /var/www/iponly/notify . "\n\n", 3, '/var/www/iponly/smblog');
?>
this is the text of notify:
PUT You_Are_Infected.txt
this is the text of You_Are_Infected.txt:
"
This computer tried to infect my computer. My computer put this text file here
automatically to let you know you are infected.
You can get more information here:
http://www.newsbytes.com/news/01/170225.html
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.shtml
"
It's working really well for me. my stats show 90% of the machines hitting me are win NT and 10% are win 2000.
