RE: [suse-security] RE: does anybody know such a log
I checked at google.ch. There I got my rules from. The site you point to uses exactly the same rules (they must have copied from each other). But nevertheless the rules don't match the reality. I exended my iptables by these rules. I'm not sure whether they will pick up Code Red. I will have to wait until again some code red source knocks at my door. iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/cmd.exe?" -j LOG --log-prefix CODE-RED iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/cmd.exe?" -j DROP iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/root.exe?" -j LOG --log-prefix CODE-RED iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/root.exe?" -j DROP Because squid log looks like this: 217.219.177.228 TCP_MISS/503 1116 GET http://www/scripts/root.exe? - NONE/- - 217.219.177.228 TCP_MISS/503 1112 GET http://www/MSADC/root.exe? - NONE/- - 217.219.177.228 TCP_MISS/503 1132 GET http://www/c/winnt/system32/cmd.exe? - NONE/- - 217.219.177.228 TCP_MISS/503 1132 GET http://www/d/winnt/system32/cmd.exe? - NONE/- - This time an IP from Iran. Philipp
-----Original Message----- From: Wolfgang Kueter [mailto:wolfgang@shconnect.de] Sent: Saturday, October 12, 2002 12:03 AM To: suse-security@suse.com Subject: RE: [suse-security] RE: does anybody know such a log
On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
snort 1.9.0 identified it as
[**] WEB-IIS CodeRed v2 root.exe access [**] 10/11-22:26:06.822248 217.219.177.228:1803 -> my.ip.address:80 TCP TTL:112 TOS:0x0 ID:61416 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x1963F358 Ack: 0xE45FF7F5 Win: 0x4238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+
iptables didn't pick that one up. Code Red came in using
cmd.exe. I had no
rule for that.
You probably used the article at:
http://articles.linuxguru.net/view/125
as a guideline. Unfortunately the article gives an example of 3 rules but no further information about the pattern matching syntax. Has anyone got a link to the precise syntax of those those pattern matching stuff for iptables? Anyway, I'll see what google will find ...
Wolfgang -- shconnect Internet Service web: http://www.shconnect.de EMail: info@shconnect.de Bundesstrasse 2, 24392 Dollrottfeld, Fed. Rep. Germany phone: +49 4641 644
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I receive Code Red scans almost every day (T-DSL), this is my (quick n dirty) answer to Code Red: logsurfer checking apache-logfile and calling a self-written script, that blocks the IP via calling iptables for one hour. This works quite fine for me, but there are surely better ways. If somebody wants to see my script, please ask. I didn't want to show my low programming skills in public ;-) Philipp. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9p+h6lBdrLPB9Ax4RAo/SAJ9fcn/mirM3S+4qi5iYtyI11Tk7zgCgmW+c 543QucRUPL0R9KRJlDXKTlg= =MjgO -----END PGP SIGNATURE-----
Hi, I am so interested in your script so much. Would you mind if I would like to have this script from you? Thank you so much. Best regards, Choth Philipp Schmiedeknecht wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I receive Code Red scans almost every day (T-DSL), this is my (quick n dirty) answer to Code Red:
logsurfer checking apache-logfile and calling a self-written script, that blocks the IP via calling iptables for one hour.
This works quite fine for me, but there are surely better ways.
If somebody wants to see my script, please ask. I didn't want to show my low programming skills in public ;-)
Philipp. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE9p+h6lBdrLPB9Ax4RAo/SAJ9fcn/mirM3S+4qi5iYtyI11Tk7zgCgmW+c 543QucRUPL0R9KRJlDXKTlg= =MjgO -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (3)
-
mailinglists@belfin.ch
-
Philipp Schmiedeknecht
-
PUTH CHAN CHOTH