I checked at google.ch. There I got my rules from. The site you point to uses exactly the same rules (they must have copied from each other). But nevertheless the rules don't match the reality. I exended my iptables by these rules. I'm not sure whether they will pick up Code Red. I will have to wait until again some code red source knocks at my door. iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/cmd.exe?" -j LOG --log-prefix CODE-RED iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/cmd.exe?" -j DROP iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/root.exe?" -j LOG --log-prefix CODE-RED iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/root.exe?" -j DROP Because squid log looks like this: 217.219.177.228 TCP_MISS/503 1116 GET http://www/scripts/root.exe? - NONE/- - 217.219.177.228 TCP_MISS/503 1112 GET http://www/MSADC/root.exe? - NONE/- - 217.219.177.228 TCP_MISS/503 1132 GET http://www/c/winnt/system32/cmd.exe? - NONE/- - 217.219.177.228 TCP_MISS/503 1132 GET http://www/d/winnt/system32/cmd.exe? - NONE/- - This time an IP from Iran. Philipp
-----Original Message----- From: Wolfgang Kueter [mailto:wolfgang@shconnect.de] Sent: Saturday, October 12, 2002 12:03 AM To: suse-security@suse.com Subject: RE: [suse-security] RE: does anybody know such a log
On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
snort 1.9.0 identified it as
[**] WEB-IIS CodeRed v2 root.exe access [**] 10/11-22:26:06.822248 217.219.177.228:1803 -> my.ip.address:80 TCP TTL:112 TOS:0x0 ID:61416 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x1963F358 Ack: 0xE45FF7F5 Win: 0x4238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+
iptables didn't pick that one up. Code Red came in using
cmd.exe. I had no
rule for that.
You probably used the article at:
http://articles.linuxguru.net/view/125
as a guideline. Unfortunately the article gives an example of 3 rules but no further information about the pattern matching syntax. Has anyone got a link to the precise syntax of those those pattern matching stuff for iptables? Anyway, I'll see what google will find ...
Wolfgang -- shconnect Internet Service web: http://www.shconnect.de EMail: info@shconnect.de Bundesstrasse 2, 24392 Dollrottfeld, Fed. Rep. Germany phone: +49 4641 644
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here