Forum OpenACS Q&A: Response to How to bypass rp_filter: Nimba Worm

Posted by Tom Jackson on

Thanks Jerry, you answered my question. I didn't realize the worm was looking in other directories. To my above script, the following ammendments will catch all the worm attempts, eliminating db hits.

# Proc to log all requests to server.log for easier analysis
# probably not for use on heavy traffic sites.

proc all_and_everything {conn ignore} {

  ns_log notice "[ns_conn peeraddr] [ns_conn request]"
  return filter_ok

# New ns_register_filters:

ns_register_filter preauth GET /* all_and_everything

ns_register_filter preauth GET /*.exe nimda

ns_register_filter trace  GET /*.exe nimda_breaktrace

# Note order of registration above is important!