If there is a firewall (SuSE hopefully) between you and the net.
No, not Suse firewall. It's a Microsoft ISA server -- just kidding. It's iptables.
You could perhaps setup a rule that would look for Nimda's tell tale striNNNNNg. or code Red's .../winnt/system32..... and drop it.
Yeah, right. Unfortunately mine don't work. I've got prefix = "iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string" $prefix "/default.ida?" -j LOG --log-prefix CODE-RED $prefix "/default.ida?" -j DROP $prefix ".exe?/c+dir" -j LOG --log-prefix NIMDA $prefix ".exe?/c+dir" -j DROP $prefix ".exe?/c+tftp" -j LOG --log-prefix NIMDA $prefix ".exe?/c+tftp" -j DROP $prefix "/cmd.exe?" -j LOG --log-prefix CODE-RED $prefix "/cmd.exe?" -j DROP $prefix "/root.exe?" -j LOG --log-prefix CODE-RED $prefix "/root.exe?" -j DROP Have you got some that work? Philipp
----- Original Message ----- From: "Thomas Schweikle"
To: Sent: Saturday, October 12, 2002 3:23 PM Subject: RE: [suse-security] does anybody know such a log Yes I do. This is why it doesn't really bother me. I just can't believe that there's still Nimda/Code Red infected boxes out there. After more than one year.
Unfortunately there are. And often newly installed boxes out there do not incorporate the neccessary fixes to harden them against Nimda/Code Red. Some admins don't apply these patches regulary...
-- Thomas
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here