- After seeing the Apache access and error logs grow forever the last couple of months.
- After getting tired of shell scripting to process the log files and create some reporting
to be emailed manually to abuse @ and postmaster @ a compromised domain.
- After receiving the next connection bill for the T1 and realizing that the increase in traffic
the last couple of months has been such that the monthly fee went up.
I got so upset with web masters and Internet users that just do not seem to know or care
that their systems are compromised that I decided to develop my own solution to deal with this trouble.
The solution is rather simple.
- A couple of modifications in the Apache configuration file.
- A program 'FireBird' (CGI) written in C/C++ to process all the intrusion attempts and report
those to the responsible parties.
How it works:
- Through the modifications in the Apache configuration file Apache activates FireBird when
a known request to one of the IIS vulnerabilities comes in.
- FireBird loads a configuration file.
- Checks if the URI really as a worm signature.
- Checks where the request URI comes from (remote)
- Checks when the last intrusion attempt from this remote was made.
- If that was shorter than 24 hours ago FireBird exits.
- If that was longer than 24 hours ago FireBird logs the remote IP address and the time of
- Digs around in DNS for the domain name associated with the remote IP address.
- Looks up the net block owner email address.
- Generates an email message to abuse@ and postmaster@ of the offending domain and to the
net block owner.
- Injects the generated email into the qmail queue.
Right now FireBird is being run (beta testing is over!) on 23 domains. The last serious change was to enable FireBird
to search for the net block owner and sending the email to the net block owner. However, the tedious job of writing
a daily email and informing the responsible parties about their compromised system is history.
Click here to read some of the responses on the FireBird messages.
Click here to see from where the latest intrusions came.
If you would like to stay informed about the notices, updates, fixes on FireBird, please subscribe to FireBird Announce (email@example.com).
This page is being referred to by the email being sent by FireBird.
When interested in using FireBird on FreeBSD, OpenBSD, NetBSD, Unix or Linux, download the sources here and follow
the instructions on how to activate it on your system. If you have any difficulty, please let me know.
When interested in using FireBird with Apache on Win32 (Windows XP, Windows 2000, Windows NT) check FireBird 1.0.4
for instructions on how to setup.
sources firebird-1.0.7.tar.gz (May 30, 2003 13:27 EDT) (NEW!)
As followup on an email from lacnic.net updated NetBlockOwner.cpp with the
information available at: http://www.iana.org/assignments/ipv4-address-space.
Also removed some redundant code between the Unix (FreeBSD) and the Win32
sources firebird-1.0.6.tar.gz (April 23, 2003 21:29 EDT)
Added HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP to Report.cpp in case they exist
in the environment. Also added GMT time.
sources firebird-1.0.5.tar.gz (November 27, 2002 10:45 EST)
Added a little bit of code to FireBird for Win32. Since ignorant Windows users seems to be bothered by popup messages
boxes the last couple of weeks I figured that since they are mostlikeky the
onces that also keep Nimda going it would be a good idea to add a NetMessageBufferSend
call to FireBird for Win32. This way, when they hit Apache on my notebook
which is running comcast cable they will get a popup message box right on
their screen telling them they have a problem! If you have a Win32 box and
are on a public IP address try this test link and see what happens!
sources firebird-1.0.4.tar.gz (October 29, 2002 15:55 EDT)
More or less finished the port of FireBird to Win32. It's currently running
on Windows 2000 Professional with Apache.
Click here to see how the Win32 version works with the test signature: http://comcast.digitaldaemon.com/cgi-bin/firebird.exe/FireBird
- Have Cable, DSL, or an other connection? Running Apache
on a Win32 platform or are willing to install Apache and want to join the
fight against Nimda? Here is how:
A couple of notes when installing Apache on Win32:
- If you already have Apache installed skip this step. Otherwise, download and install
Apache. Instructions on how to download and install apache on Microsoft
Windows are here: http://httpd.apache.org/docs/windows.html.
To just download the Installer click here: http://nagoya.apache.org/dist/httpd/binaries/win32/apache_1.3.27-win32-x86-no_src.exe Install Apache into "C:/Program
Files/Apache Group/Apache". This is the default location!
- Download FireBird
for Win32 (firebird.EXE) and save it to
Apache's cgi-bin directory "C:/Program Files/Apache Group/Apache/cgi-bin".
When using a different location for Apache httpd.conf will have to be
changed to reflect the proper location for firebird.EXE.
- Download firebird.conf (this is the FireBird
configuration file) and save it to "C:/Program
Files/Apache Group/Apache/cgi-bin". Make the necessary changes to firebird.conf with Notepad.
An example of firebird.conf could be:
- Download httpd.conf and save it to "C:/Program
Files/Apache Group/Apache/conf". httpd.conf should already exist. If Apache is installed
to just report virus intrusions the existing file can be overwritten.
Otherwise make sure to copy all the changes with are marked with #<FireBird>
and #</FireBird> to the existing httpd.conf.
- Start (or Restart) Apache. Start
-> Apache HTTP Server -> Control Apache Server -> Restart.
- If you want to limit reporting each virus intrusion
from a unique IP address to 1 report per 24 hours create an empty Data
file in the location defined in firebird.conf.
- The file "C:/Program
Files/Apache Group/Apache/data/index.html" is the entry page for a website running on the computer
running Apache. When Apache is active on the computer the website can
be viewed with http://127.0.0.1/. 127.0.0.1 can be replaced with the computers public IP
address. When index.html is being changed Apache will reflect those changes.
This way a website can be created on the computer (just a suggestion),
there is more to it than just this.
- If Internet access has been slow and the activity
lights on the Cable Modem, DSL box, Router or Modem are flashing at times
there should be no activity chances are that either the computer has been
infected with a virus such as Nimda or other computers on the Internet
are trying spread the virus.
sources firebird-1.0.3.tar.gz (October 21, 2002 19:02 EDT)
Made a couple of changes. Added the remote IP address to the subject as some
providers seems to prefer. Ported the code to Win32. Currently there is a
test running with Apache on Windows 2000 Professional.
As soon as the results of the test indicate that FireBird for Win32 is reliable
the sources and binaries will be released.
sources firebird-1.0.2.tar.gz (October 07, 2002 18:00 EDT)
Added a test virus signature to FireBird to help users to install and test
FireBird as well as to show how firebird works on digitaldaemon.com. See
below how to active FireBird with the test signature.
sources firebird-1.0.1.tar.gz (September 27, 2002 17:56 EDT)
Added firewall (IPFW) blocking to firebird. To use this the firewall IPFW
/ IPFIREWALL must be enabled in the FreeBSD kernel. It works like the -punch_fw
option for natd. When a virus intrusion comes in from (source) ip address
a.b.c.d this ip address is going to be blocked in the firewall as: ipfw
add 'number' deny tcp from 'a.b.c.d' to any 80,443 in recv 'iface'.
All the firewall rules are added under the same number. I do not know if this
is supported, but it makes it easy to delete them all at the same time with
ipfw del 'number'. To use this new feature firebird.cgi will need to be owned
by 'root' (UID: 0) and have the u+s bit set. This is being checked by firebird
and a message will appear in /var/log/messages if firebird it not able to
setuid ( 0 ), or change the effective userid to 80 (httpd). As running setuid
( 0 ), is not something I favor firebird switches to 80 'seteuid ( 80 )' right
away and changes back to 0 only to add the rule to IPFW. These value's can
be changed in Config.h if you have to (UID_ROOT, UID_HTTPD).
sources firebird-1.0.0.tar.gz (August 19, 2002 22:48 EDT)
Released the sources of firebird after about a year of testing to the public.
FreeBSD 4.x binary executable.
- FireBird configuration file (firebird.conf,
to be placed in the same directory as firebird.cgi)
FireBird recognizes the following in the configuration file:
The log file were FireBird logs. FireBird also logs in the system log.
The data file where FireBird keeps track of remote ip address and the
time of the last attempted intrusion reported.
- If this file exists FireBird will only send one
report per 24 hours for a virus intrusion from a unique IP address.
- If this file does not exist FireBird will report
each and every virus intrusion. This might cause some ISP's to get
very annoyed. However, FireBird will certainly get their attention.
What appears in the "From:" header of the email message being
What appears in the "Reply-To:" header of the email message
What appears in the "Return-Path:" header of the email message
being send. This is important as FireBird will send messages to abuse@
and postmaster@ domains that might not actually have those addresses.
These messages will bounce!!!
Added recently as not everyone uses Qmail! What a shame!
rule number" (1.0.1)
Make sure the 'IPFW rule number' comes before the rule that allows remote
ip addresses to access the local ip addresses with port 80 and 443!
The interface through which the TCP packets enter the server.
The SMTPServer is required for Win32 setups to allow FireBird to relay
a message. This is the same SMTP server as setup in the email client program.
Optional, see POP-Before-SMTP.
Optional, see Pop-Before-SMTP.
Optional, see Pop-Before-SMTP.
Many ISP's require that messages are being received (popped) first before
they allow sending (relaying). Usually to prevent unauthorized used of
their SMTP servers and prevent SPAM. So, to allow FireBird to send a message
it need to identify it self with the ISP first before it can send reports
to intruders. To allow FireBird to identify itself POP3Server, Userid,
Passwd and POP-Before-SMTP are required.
POP3Server should be the same as the POP3 server setup in email client
Userid should be the userid used to identify to the POP3 server as setup
in the email client program.
Passwd should be the password used to identify to the POP3 server as setup
in the email client program.
POP-Before-SMTP should be set to "Yes" to tell FireBird the
ISP requires this.
- FireBird changes to Apache configuration file
- mod_alias.c section
- mod_mime.c section
- Make sure in section mod_mime.c the following lines
AddHandler cgi-script .cgi
AddHandler cgi-script .ida
- Make sure in section mod_alias.c the following has
been set for <Directory "~/cgi-bin">
- Other notes:
- The config file firebird.conf has to reside in the
same directory as firebird.cgi.
- firebird.conf has to be readable by the effective
user the Apache daemon (httpd) runs.
- The 'Log' and 'Data' file have to be readable and
writable by the effective user that the Apache daemon (httpd) runs.
- Do not toy around with the config file. Don't add
extra spaces, keep the format as simple as the example!
- MailInject has been added and tested with Qmail. It has not been tested
with sendmail or postfix. Let me know if it works with either one!
- FireBird will not create the Data
file (firebird.data)! If is does not exist every attempted instrusion
will be reported. This will create some aggrevation, but might actually
get the attention of the maintainers of the infected system.
- Once installed FireBird
can be tested with http://www.yourdomain.com/default.ida/FireBird
You can simulate a virus intrusion on digitaldaemon.com by using the following
link below in your browser: http://www.digitaldaemon.com/default.ida/FireBird. This will give the message FireBird would send in return.
However be aware of the fact that this is the real
FireBird that will activate. If you change the link in anyway, the test
is treated as a real intrusion and FireBird will try to send you, your
ISP, your netblock owner a message about an Unknown virus intrusion attempt. With FireBird version 1.0.1 and
later using this link with an other suffix than FireBird will immediately
block HTTP and secure HTTP (HTTPS) access to the server.
Other solutions that do more or less the same thing: