Mailinglist Archive: opensuse-security (487 mails)
| < Previous | Next > |
Re: [suse-security] does anybody know such a log
- From: "Paul Kozlenko" <pkozlenko@xxxxxxxxxx>
- Date: Sat, 12 Oct 2002 22:25:24 -0400
- Message-id: <01a801c2725f$c9c648f0$2c01a8c0@moon>
Philipp
Try looking at this web site: http://online.securityfocus.com/infocus/1531
It may fill in some blanks.
- Paul
----- Original Message -----
From: <mailinglists@xxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Saturday, October 12, 2002 3:06 PM
Subject: RE: [suse-security] does anybody know such a log
>
>
> > If there is a firewall (SuSE hopefully) between you and the
> > net.
>
> No, not Suse firewall. It's a Microsoft ISA server -- just kidding. It's
> iptables.
>
> > You could
> > perhaps setup a rule that would look for Nimda's tell tale striNNNNNg.
> > or code Red's .../winnt/system32..... and drop it.
>
> Yeah, right. Unfortunately mine don't work. I've got
>
> prefix = "iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth /
> --dport 80 -m string --string"
>
> $prefix "/default.ida?" -j LOG --log-prefix CODE-RED
> $prefix "/default.ida?" -j DROP
> $prefix ".exe?/c+dir" -j LOG --log-prefix NIMDA
> $prefix ".exe?/c+dir" -j DROP
> $prefix ".exe?/c+tftp" -j LOG --log-prefix NIMDA
> $prefix ".exe?/c+tftp" -j DROP
> $prefix "/cmd.exe?" -j LOG --log-prefix CODE-RED
> $prefix "/cmd.exe?" -j DROP
> $prefix "/root.exe?" -j LOG --log-prefix CODE-RED
> $prefix "/root.exe?" -j DROP
>
> Have you got some that work?
>
> Philipp
>
> > ----- Original Message -----
> > From: "Thomas Schweikle" <tschweikle@xxxxxxxxxx>
> > To: <suse-security@xxxxxxxx>
> > Sent: Saturday, October 12, 2002 3:23 PM
> > Subject: RE: [suse-security] does anybody know such a log
> >
> >
> > > > Yes I do. This is why it doesn't really bother me. I just
> > > > can't believe that there's still Nimda/Code Red infected
> > > > boxes out there. After more than one year.
> > >
> > > Unfortunately there are. And often newly installed boxes
> > out there do not
> > > incorporate the neccessary fixes to harden them against
> > Nimda/Code Red.
> > > Some admins don't apply these patches regulary...
> > >
> > > --
> > > Thomas
> > >
> > > --
> > > Check the headers for your unsubscription address
> > > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > > Security-related bug reports go to security@xxxxxxx, not here
> > >
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
Try looking at this web site: http://online.securityfocus.com/infocus/1531
It may fill in some blanks.
- Paul
----- Original Message -----
From: <mailinglists@xxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Saturday, October 12, 2002 3:06 PM
Subject: RE: [suse-security] does anybody know such a log
>
>
> > If there is a firewall (SuSE hopefully) between you and the
> > net.
>
> No, not Suse firewall. It's a Microsoft ISA server -- just kidding. It's
> iptables.
>
> > You could
> > perhaps setup a rule that would look for Nimda's tell tale striNNNNNg.
> > or code Red's .../winnt/system32..... and drop it.
>
> Yeah, right. Unfortunately mine don't work. I've got
>
> prefix = "iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth /
> --dport 80 -m string --string"
>
> $prefix "/default.ida?" -j LOG --log-prefix CODE-RED
> $prefix "/default.ida?" -j DROP
> $prefix ".exe?/c+dir" -j LOG --log-prefix NIMDA
> $prefix ".exe?/c+dir" -j DROP
> $prefix ".exe?/c+tftp" -j LOG --log-prefix NIMDA
> $prefix ".exe?/c+tftp" -j DROP
> $prefix "/cmd.exe?" -j LOG --log-prefix CODE-RED
> $prefix "/cmd.exe?" -j DROP
> $prefix "/root.exe?" -j LOG --log-prefix CODE-RED
> $prefix "/root.exe?" -j DROP
>
> Have you got some that work?
>
> Philipp
>
> > ----- Original Message -----
> > From: "Thomas Schweikle" <tschweikle@xxxxxxxxxx>
> > To: <suse-security@xxxxxxxx>
> > Sent: Saturday, October 12, 2002 3:23 PM
> > Subject: RE: [suse-security] does anybody know such a log
> >
> >
> > > > Yes I do. This is why it doesn't really bother me. I just
> > > > can't believe that there's still Nimda/Code Red infected
> > > > boxes out there. After more than one year.
> > >
> > > Unfortunately there are. And often newly installed boxes
> > out there do not
> > > incorporate the neccessary fixes to harden them against
> > Nimda/Code Red.
> > > Some admins don't apply these patches regulary...
> > >
> > > --
> > > Thomas
> > >
> > > --
> > > Check the headers for your unsubscription address
> > > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > > Security-related bug reports go to security@xxxxxxx, not here
> > >
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
| < Previous | Next > |