Mailing List Archive

   tlug.jp -> Mailing List -> tlug archive -> tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Script Kiddy Defence Script


> Yes, sounds interesting (even though I don't like perl at all ;-).

Oh... you're in luck. While the original test version of the script was
in perl it seems I re-wrote the 'production' version in C. I'm ataching
it below. To use it you would create a SHITLIST chain using iptables and
route your incoming packets through that chain (using a seperate chain
makes it really easy to clear the auto-banned IP addresses later). Then
pipe the log output of Apache to this script (you can do that from the
config file). The scanner acts like a null filter so you can re-pipe the
output to your real log file or to some other log processing filter.

The list of probe strings is probably out-of-date. You should eyeball a
fairly recent Apache log file to see if there have been any new exploits
added to the typical noise.

With just a bit of parsing... maybe with the perl-like RE library... one
could concoct a whole slew of real-time monitors to lock out the kiddies.

BTW, in looks like there may be another buffer overflow vulnerability in
the 'examine( )' routine. You might want to add some sanity checks to make
sure 'referer[ fieldSep - buffer ]' falls within the range of the string.

====

#include <stdio.h>
#include <malloc.h>
#include <string.h>

char* badguys[ ] =
{
    "/default.ida",
    "/scripts",
    "/c/winnt",
    "/d/winnt",
    "/_mem_bin",
    "/msadc",
    "/MSADC",
    "/_vti_bin",
    0
};

static int   bufsiz;
static char* buffer;

void shitcan( char* referer )
{
    char tmp[ 1024 ]; strcpy( tmp, referer ); strcat( tmp, "/32" );

    execl( "/sbin/ipchains", "ipchains", "-A", "shitlist", "-s", tmp, "-j", "REJECT", 0 );

    exit( 0 );
}

void examine( char* buffer )
{
    char  referer[ 1024 ];

    char* fieldSep = index( buffer, ' ' );
    char* rqString = strstr( buffer, "GET " );

    if ( fieldSep )
    {
        strncpy( referer, buffer, ( fieldSep - buffer ) );

        referer[ fieldSep - buffer ] = 0x00;

        if ( rqString )
        {
            char** ptr = badguys;

            while ( *ptr )
            {
                if ( strncmp( ( rqString + 4 ), *ptr, strlen( *ptr ) ) == 0 )
                {
                    int pid = fork( );

                    if ( pid )
                    {
                        wait( 0 );
                    }
                    else
                    {
                        shitcan( referer );
                    }
                }
                ++ptr;
            }
        }
    }
}

int main( int argc, char* argv[ ] )
{
    /*
     *  Initial buffer should be plenty for now
     */
    buffer = malloc( bufsiz = 2 );

    /*
     *  Main loop is simple -- read lines forever and process them
     */
    while ( fgets( buffer, bufsiz, stdin ) )
    {
        /*
         *  Buffer overflow protection (should have an upper bound)
         */
        while ( *( buffer + ( strlen( buffer ) - 1 ) ) != '\n' )
        {
            buffer = realloc( buffer, bufsiz *= 2 );

            fgets( ( buffer + strlen( buffer ) ), ( bufsiz / 2 ), stdin );
        }
        examine( buffer ); fputs( buffer, stdout ); fflush( stdout );
    }
    return( 0 );
}


--
Joe Larabell -- Synopsys VCS Support      US: larabell@example.com
http://wwwin.synopsys.com/~larabell/   Japan: larabell@?jp
Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links