mollat.de/security - projekte - apache-worm

#/bin/sh
#
# Script to "shoot off" the bothering apache-worm Scalper
#
# The script is tested with OpenBSD 2.9 and 3.0 but should run on many more systems.
# Before using the script be sure to have installed /usr/ports/net/nemesis and its
# dependency, /usr/ports/net/libnet. If you don't know how to do this, please don't
# ask me - ask your system administrator. (Thanks ;-)
#
# Be also sure to have the payload file ("data") in the same dir as this script.
#
# Unfortunally, there was in every (for me) available version of nemesis a little but
# painfull bug. You have to remove the lines 24+25 in the file "nemesis-proto_tcp.c".
# They should after your modification look like:
#
# //   else
# //      payload_s = strlen(payload);
#
# Recompile it with "make && make install" and make sure the new version appears in
# /usr/local/sbin or whereever your port puts it as default.
#
# One more thing: You can't shoot worms behind a firewall but in my case - their
# amount was below 1 percent, _I_ can live with that...
#
# Use freely as you like. Of course I can't take any warranties for what this software
# does - if it robs your bank account - don't blame me for that. If you like - send me
# an email if it works for you or not...
#
# Have fun, Andreas Mollat, Hannover, Germany
#
# (C) 08.07.2002 Andreas Mollat (wk @ mollat.de)

MYIP=1.2.3.4
MYDEV=rl0
PACKET_NUM=1

while true
do
        for IP in `tcpdump -c $PACKET_NUM -lni $MYDEV udp port 2001 \
		   | sed -e 's/^[^ ]* //1' -e 's/\.2001.*$//1p'`
        do
                # -v = verbose
                # -S = Source IP
                # -D = Destination IP
                # -x = Source Port
                # -y = Destination Port
                # -P = Payload

                nemesis-udp -S $MYIP -D $IP -x 2001 -y 2001 -P data
                echo Shot host: $IP
                echo $IP >> shot
        done
done