RE: [suse-security] does anybody know such a log
If there is a firewall (SuSE hopefully) between you and the net.
No, not Suse firewall. It's a Microsoft ISA server -- just kidding. It's iptables.
You could perhaps setup a rule that would look for Nimda's tell tale striNNNNNg. or code Red's .../winnt/system32..... and drop it.
Yeah, right. Unfortunately mine don't work. I've got prefix = "iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string" $prefix "/default.ida?" -j LOG --log-prefix CODE-RED $prefix "/default.ida?" -j DROP $prefix ".exe?/c+dir" -j LOG --log-prefix NIMDA $prefix ".exe?/c+dir" -j DROP $prefix ".exe?/c+tftp" -j LOG --log-prefix NIMDA $prefix ".exe?/c+tftp" -j DROP $prefix "/cmd.exe?" -j LOG --log-prefix CODE-RED $prefix "/cmd.exe?" -j DROP $prefix "/root.exe?" -j LOG --log-prefix CODE-RED $prefix "/root.exe?" -j DROP Have you got some that work? Philipp
----- Original Message ----- From: "Thomas Schweikle" <tschweikle@fiducia.de> To: <suse-security@suse.com> Sent: Saturday, October 12, 2002 3:23 PM Subject: RE: [suse-security] does anybody know such a log
Yes I do. This is why it doesn't really bother me. I just can't believe that there's still Nimda/Code Red infected boxes out there. After more than one year.
Unfortunately there are. And often newly installed boxes out there do not incorporate the neccessary fixes to harden them against Nimda/Code Red. Some admins don't apply these patches regulary...
-- Thomas
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Philipp Try looking at this web site: http://online.securityfocus.com/infocus/1531 It may fill in some blanks. - Paul ----- Original Message ----- From: <mailinglists@belfin.ch> To: <suse-security@suse.com> Sent: Saturday, October 12, 2002 3:06 PM Subject: RE: [suse-security] does anybody know such a log
If there is a firewall (SuSE hopefully) between you and the net.
No, not Suse firewall. It's a Microsoft ISA server -- just kidding. It's iptables.
You could perhaps setup a rule that would look for Nimda's tell tale striNNNNNg. or code Red's .../winnt/system32..... and drop it.
Yeah, right. Unfortunately mine don't work. I've got
prefix = "iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string"
$prefix "/default.ida?" -j LOG --log-prefix CODE-RED $prefix "/default.ida?" -j DROP $prefix ".exe?/c+dir" -j LOG --log-prefix NIMDA $prefix ".exe?/c+dir" -j DROP $prefix ".exe?/c+tftp" -j LOG --log-prefix NIMDA $prefix ".exe?/c+tftp" -j DROP $prefix "/cmd.exe?" -j LOG --log-prefix CODE-RED $prefix "/cmd.exe?" -j DROP $prefix "/root.exe?" -j LOG --log-prefix CODE-RED $prefix "/root.exe?" -j DROP
Have you got some that work?
Philipp
----- Original Message ----- From: "Thomas Schweikle" <tschweikle@fiducia.de> To: <suse-security@suse.com> Sent: Saturday, October 12, 2002 3:23 PM Subject: RE: [suse-security] does anybody know such a log
Yes I do. This is why it doesn't really bother me. I just can't believe that there's still Nimda/Code Red infected boxes out there. After more than one year.
Unfortunately there are. And often newly installed boxes out there do not incorporate the neccessary fixes to harden them against Nimda/Code Red. Some admins don't apply these patches regulary...
-- Thomas
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Sam, 12 Okt 2002, Paul Kozlenko wrote:
Philipp Try looking at this web site: http://online.securityfocus.com/infocus/1531 It may fill in some blanks.
Does the SuSE-Kernels (Preffered 2.4.18-231), supports this ?? Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de ______________________________________ Inflex - eMail Scanning and Protection Queries to: postmaster@etes.de
participants (3)
-
Joerg Henner -
mailinglists@belfin.ch -
Paul Kozlenko