On Wed, 27 Nov 2002, Mario Ohnewald wrote:
Hello! What can i do against these worms?
[Mon Nov 25 18:18:50 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..Á^\../winnt/system32/cmd.exe [...] [Wed Nov 27 09:36:25 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe
How can i reverse the ip to an address like whois does. What do u do against it? I am just bothered because of my mini bandwitdth.
ip_waneth="your ip of the web server" iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/cmd.exe?" -j LOG --log-prefix CODE-RED iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/cmd.exe?" -j DROP iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/root.exe?" -j LOG --log-prefix CODE-RED iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/root.exe?" -j DROP iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/default.ida?" -j DROP # my firewall does not log it, I'm not interessted in such trash :-)) # to reverse the IP, use nslookup, but keep in mind that this might not # be usefull, for a lot of reasons ... Achim