• After seeing the Apache access and error logs grow forever the last couple of months.
• After getting tired of shell scripting to process the log files and create some reporting to be emailed manually to abuse @ and postmaster @ a compromised domain.
• After receiving the next connection bill for the T1 and realizing that the increase in traffic the last couple of months has been such that the monthly fee went up.

I got so upset with web masters and Internet users that just do not seem to know or care that their systems are compromised that I decided to develop my own solution to deal with this trouble.

The solution is rather simple.

• A couple of modifications in the Apache configuration file.
• A program 'FireBird' (CGI) written in C/C++ to process all the intrusion attempts and report those to the responsible parties.

How it works:

• Through the modifications in the Apache configuration file Apache activates FireBird when a known request to one of the IIS vulnerabilities comes in.
• FireBird loads a configuration file.
• Checks if the URI really as a worm signature.
• Checks where the request URI comes from (remote)
• Checks when the last intrusion attempt from this remote was made.
• If that was shorter than 24 hours ago FireBird exits.
• If that was longer than 24 hours ago FireBird logs the remote IP address and the time of the intrusion.
• Digs around in DNS for the domain name associated with the remote IP address.
• Looks up the net block owner email address.
• Generates an email message to abuse@ and postmaster@ of the offending domain and to the net block owner.
• Injects the generated email into the qmail queue.

Related information

• Symantec Security Response - W32.Nimda.A@mm
• Cisco - "Nimda" Virus Technical Tips
• CERT® Advisory CA-2001-26 Nimda Worm
• Microsoft Security

Epilogue:
Right now FireBird is being run (beta testing is over!) on 23 domains. The last serious change was to enable FireBird to search for the net block owner and sending the email to the net block owner. However, the tedious job of writing a daily email and informing the responsible parties about their compromised system is history.

Click here to read some of the responses on the FireBird messages.

Click here to see from where the latest intrusions came.

If you would like to stay informed about the notices, updates, fixes on FireBird, please subscribe to FireBird Announce (firebird-announce@digitaldaemon.com).

This page is being referred to by the email being sent by FireBird.
When interested in using FireBird on FreeBSD, OpenBSD, NetBSD, Unix or Linux, download the sources here and follow the instructions on how to activate it on your system. If you have any difficulty, please let me know.
When interested in using FireBird with Apache on Win32 (Windows XP, Windows 2000, Windows NT) check FireBird 1.0.4 for instructions on how to setup.

• FireBird sources firebird-1.0.7.tar.gz (May 30, 2003 13:27 EDT) (NEW!)
  As followup on an email from lacnic.net updated NetBlockOwner.cpp with the information available at: http://www.iana.org/assignments/ipv4-address-space. Also removed some redundant code between the Unix (FreeBSD) and the Win32 versions.
  
  
• FireBird sources firebird-1.0.6.tar.gz (April 23, 2003 21:29 EDT)
  Added HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP to Report.cpp in case they exist in the environment. Also added GMT time.
  
  
• FireBird sources firebird-1.0.5.tar.gz (November 27, 2002 10:45 EST)
  Added a little bit of code to FireBird for Win32. Since ignorant Windows users seems to be bothered by popup messages boxes the last couple of weeks I figured that since they are mostlikeky the onces that also keep Nimda going it would be a good idea to add a NetMessageBufferSend call to FireBird for Win32. This way, when they hit Apache on my notebook which is running comcast cable they will get a popup message box right on their screen telling them they have a problem! If you have a Win32 box and are on a public IP address try this test link and see what happens!
  http://comcast.digitaldaemon.com/cgi-bin/firebird.exe/FireBird
  
  
• FireBird sources firebird-1.0.4.tar.gz (October 29, 2002 15:55 EDT)
  More or less finished the port of FireBird to Win32. It's currently running on Windows 2000 Professional with Apache. Click here to see how the Win32 version works with the test signature: http://comcast.digitaldaemon.com/cgi-bin/firebird.exe/FireBird
  
  
• Have Cable, DSL, or an other connection? Running Apache on a Win32 platform or are willing to install Apache and want to join the fight against Nimda? Here is how:
  • If you already have Apache installed skip this step. Otherwise, download and install Apache. Instructions on how to download and install apache on Microsoft Windows are here: http://httpd.apache.org/docs/windows.html. To just download the Installer click here: http://nagoya.apache.org/dist/httpd/binaries/win32/apache_1.3.27-win32-x86-no_src.exe Install Apache into "C:/Program Files/Apache Group/Apache". This is the default location!
  • Download FireBird for Win32 (firebird.EXE) and save it to Apache's cgi-bin directory "C:/Program Files/Apache Group/Apache/cgi-bin". When using a different location for Apache httpd.conf will have to be changed to reflect the proper location for firebird.EXE.
  • Download firebird.conf (this is the FireBird configuration file) and save it to "C:/Program Files/Apache Group/Apache/cgi-bin". Make the necessary changes to firebird.conf with Notepad. An example of firebird.conf could be:

    Log="C:/Program Files/Apache Group/Apache/logs/firebird.log"
    Data="C:/Program Files/Apache Group/Apache/logs/firebird.data"
    From="comcast@digitaldaemon.com"
    Reply-To="comcast@digitaldaemon.com"
    Return-Path="trashcan@digitaldaemon.com"
    CC="firebird@digitaldaemon.com"
    SMTPServer="smtp.digitaldaemon.com"
    POP3Server="pop3.digitaldaemon.com"
    Userid="comcast"
    Passwd="******"
    POP-Before-SMTP="Yes"

  • Download httpd.conf and save it to "C:/Program Files/Apache Group/Apache/conf". httpd.conf should already exist. If Apache is installed to just report virus intrusions the existing file can be overwritten. Otherwise make sure to copy all the changes with are marked with #<FireBird> and #</FireBird> to the existing httpd.conf.
  • Start (or Restart) Apache. Start -> Apache HTTP Server -> Control Apache Server -> Restart.
  • If you want to limit reporting each virus intrusion from a unique IP address to 1 report per 24 hours create an empty Data file in the location defined in firebird.conf.
  A couple of notes when installing Apache on Win32:
  • The file "C:/Program Files/Apache Group/Apache/data/index.html" is the entry page for a website running on the computer running Apache. When Apache is active on the computer the website can be viewed with http://127.0.0.1/. 127.0.0.1 can be replaced with the computers public IP address. When index.html is being changed Apache will reflect those changes. This way a website can be created on the computer (just a suggestion), there is more to it than just this.
  • If Internet access has been slow and the activity lights on the Cable Modem, DSL box, Router or Modem are flashing at times there should be no activity chances are that either the computer has been infected with a virus such as Nimda or other computers on the Internet are trying spread the virus.
    
    
• FireBird sources firebird-1.0.3.tar.gz (October 21, 2002 19:02 EDT)
  Made a couple of changes. Added the remote IP address to the subject as some providers seems to prefer. Ported the code to Win32. Currently there is a test running with Apache on Windows 2000 Professional. As soon as the results of the test indicate that FireBird for Win32 is reliable the sources and binaries will be released.
  
  
• FireBird sources firebird-1.0.2.tar.gz (October 07, 2002 18:00 EDT)
  Added a test virus signature to FireBird to help users to install and test FireBird as well as to show how firebird works on digitaldaemon.com. See below how to active FireBird with the test signature.
  
  
• FireBird sources firebird-1.0.1.tar.gz (September 27, 2002 17:56 EDT)
  Added firewall (IPFW) blocking to firebird. To use this the firewall IPFW / IPFIREWALL must be enabled in the FreeBSD kernel. It works like the -punch_fw option for natd. When a virus intrusion comes in from (source) ip address a.b.c.d this ip address is going to be blocked in the firewall as: ipfw add 'number' deny tcp from 'a.b.c.d' to any 80,443 in recv 'iface'. All the firewall rules are added under the same number. I do not know if this is supported, but it makes it easy to delete them all at the same time with ipfw del 'number'. To use this new feature firebird.cgi will need to be owned by 'root' (UID: 0) and have the u+s bit set. This is being checked by firebird and a message will appear in /var/log/messages if firebird it not able to setuid ( 0 ), or change the effective userid to 80 (httpd). As running setuid ( 0 ), is not something I favor firebird switches to 80 'seteuid ( 80 )' right away and changes back to 0 only to add the rule to IPFW. These value's can be changed in Config.h if you have to (UID_ROOT, UID_HTTPD).
  
  
• FireBird sources firebird-1.0.0.tar.gz (August 19, 2002 22:48 EDT)
  Released the sources of firebird after about a year of testing to the public.
  
  
• FireBird FreeBSD 4.x binary executable.
  
  
• FireBird configuration file (firebird.conf, to be placed in the same directory as firebird.cgi)
  FireBird recognizes the following in the configuration file:
  • Log="~/firebird.log"
    The log file were FireBird logs. FireBird also logs in the system log.
  • Data="~firebird.data"
    The data file where FireBird keeps track of remote ip address and the time of the last attempted intrusion reported.
    • If this file exists FireBird will only send one report per 24 hours for a virus intrusion from a unique IP address.
    • If this file does not exist FireBird will report each and every virus intrusion. This might cause some ISP's to get very annoyed. However, FireBird will certainly get their attention.
  • From="firebird@digitaldaemon.com"
    What appears in the "From:" header of the email message being send.
  • Reply-To="firebird@digitaldaemon.com"
    What appears in the "Reply-To:" header of the email message being send.
  • Return-Path="trashcan@digitaldaemon.com"
    What appears in the "Return-Path:" header of the email message being send. This is important as FireBird will send messages to abuse@ and postmaster@ domains that might not actually have those addresses. These messages will bounce!!!
  • CC=
  • BCC=
  • MailInject="/usr/local/qmail/bin/qmail-inject"
    Added recently as not everyone uses Qmail! What a shame!
  • IPFWRule="IPFW rule number" (1.0.1)
    Make sure the 'IPFW rule number' comes before the rule that allows remote ip addresses to access the local ip addresses with port 80 and 443!
  • IPFWIface="IPFW interface" (1.0.1)
    The interface through which the TCP packets enter the server.
  • SMTPServer="smtp.digitaldaemon.com" (1.0.4)
    The SMTPServer is required for Win32 setups to allow FireBird to relay a message. This is the same SMTP server as setup in the email client program.
  • POP3Server="pop3.digitaldaemon.com" (1.0.4)
    Optional, see POP-Before-SMTP.
  • Userid="comcast" (1.0.4)
    Optional, see Pop-Before-SMTP.
  • Passwd="******" (1.0.4)
    Optional, see Pop-Before-SMTP.
  • POP-Before-SMTP="Yes" (1.0.4)
    Many ISP's require that messages are being received (popped) first before they allow sending (relaying). Usually to prevent unauthorized used of their SMTP servers and prevent SPAM. So, to allow FireBird to send a message it need to identify it self with the ISP first before it can send reports to intruders. To allow FireBird to identify itself POP3Server, Userid, Passwd and POP-Before-SMTP are required.
    POP3Server should be the same as the POP3 server setup in email client program.
    Userid should be the userid used to identify to the POP3 server as setup in the email client program.
    Passwd should be the password used to identify to the POP3 server as setup in the email client program.
    POP-Before-SMTP should be set to "Yes" to tell FireBird the ISP requires this.
    
    
• FireBird changes to Apache configuration file
  • mod_alias.c section
  • mod_mime.c section
  • Make sure in section mod_mime.c the following lines are included:
    AddHandler cgi-script .cgi
    AddHandler cgi-script .ida
  • Make sure in section mod_alias.c the following has been set for <Directory "~/cgi-bin">
    Options ExecCGI
    
    
• Other notes:
  • The config file firebird.conf has to reside in the same directory as firebird.cgi.
  • firebird.conf has to be readable by the effective user the Apache daemon (httpd) runs.
  • The 'Log' and 'Data' file have to be readable and writable by the effective user that the Apache daemon (httpd) runs.
  • Do not toy around with the config file. Don't add extra spaces, keep the format as simple as the example!
  • MailInject has been added and tested with Qmail. It has not been tested with sendmail or postfix. Let me know if it works with either one!
  • FireBird will not create the Data file (firebird.data)! If is does not exist every attempted instrusion will be reported. This will create some aggrevation, but might actually get the attention of the maintainers of the infected system.
  • Once installed FireBird can be tested with http://www.yourdomain.com/default.ida/FireBird
    You can simulate a virus intrusion on digitaldaemon.com by using the following link below in your browser: http://www.digitaldaemon.com/default.ida/FireBird. This will give the message FireBird would send in return. However be aware of the fact that this is the real FireBird that will activate. If you change the link in anyway, the test is treated as a real intrusion and FireBird will try to send you, your ISP, your netblock owner a message about an Unknown virus intrusion attempt. With FireBird version 1.0.1 and later using this link with an other suffix than FireBird will immediately block HTTP and secure HTTP (HTTPS) access to the server.

Thanks!
Jan Knepper
jan@digitaldaemon.com

• EaryBird by Jay D. Dyson http://www.treachery.net/~jdyson/earlybird/