RE: [suse-security] does anybody know such a log
Paul, thanks for the tip. it works now. somebody asked for cpu load. One open connection (I know, this is huge load) resulted in 10:53am up 15 days, 13:13, 3 users, load average: 0.00, 0.00, 0.00 Filtering the string "default.ida" I used telnet ip.address 80 typed in a string "dasisteinTest balbladefault.ida.battest" iptables: Oct 13 10:25:20 rproxy2 kernel: CODE-REDIN=eth1 OUT= MAC=00:a0:24:6a:d0:56:00:00:e8:e5:d9:9f:08:00 SRC=172.10.15.5 DST=172.10.15.6 LEN=88 TOS=0x10 PREC=0x00 TTL=64 ID=5569 DF PROTO=TCP SPT=2812 DPT=80 WINDOW=5840 RES=0x00 ACK PSH URGP=0 the rule now looks like: iptables -A INPUT -p 6 -s 0/0 -d $ip_waneth --dport 80 -m string --string "default.ida" -j LOG --log-prefix CODE-RED iptables -A INPUT -p 6 -s 0/0 -d $ip_waneth --dport 80 -m string --string "default.ida" -j DROP Philipp
-----Original Message----- From: Paul Kozlenko [mailto:pkozlenko@rogers.com] Sent: Sunday, October 13, 2002 4:25 AM To: suse-security@suse.com Subject: Re: [suse-security] does anybody know such a log
Philipp Try looking at this web site: http://online.securityfocus.com/infocus/1531 It may fill in some blanks.
- Paul ----- Original Message ----- From: <mailinglists@belfin.ch> To: <suse-security@suse.com> Sent: Saturday, October 12, 2002 3:06 PM Subject: RE: [suse-security] does anybody know such a log
If there is a firewall (SuSE hopefully) between you and the net.
No, not Suse firewall. It's a Microsoft ISA server -- just
kidding. It's
iptables.
You could perhaps setup a rule that would look for Nimda's tell tale striNNNNNg. or code Red's .../winnt/system32..... and drop it.
Yeah, right. Unfortunately mine don't work. I've got
prefix = "iptables -t nat -A PREROUTING -p 6 -s 0/0 -d $ip_waneth / --dport 80 -m string --string"
$prefix "/default.ida?" -j LOG --log-prefix CODE-RED $prefix "/default.ida?" -j DROP $prefix ".exe?/c+dir" -j LOG --log-prefix NIMDA $prefix ".exe?/c+dir" -j DROP $prefix ".exe?/c+tftp" -j LOG --log-prefix NIMDA $prefix ".exe?/c+tftp" -j DROP $prefix "/cmd.exe?" -j LOG --log-prefix CODE-RED $prefix "/cmd.exe?" -j DROP $prefix "/root.exe?" -j LOG --log-prefix CODE-RED $prefix "/root.exe?" -j DROP
Have you got some that work?
Philipp
----- Original Message ----- From: "Thomas Schweikle" <tschweikle@fiducia.de> To: <suse-security@suse.com> Sent: Saturday, October 12, 2002 3:23 PM Subject: RE: [suse-security] does anybody know such a log
Yes I do. This is why it doesn't really bother me. I just can't believe that there's still Nimda/Code Red infected boxes out there. After more than one year.
Unfortunately there are. And often newly installed boxes out there do not incorporate the neccessary fixes to harden them against Nimda/Code Red. Some admins don't apply these patches regulary...
-- Thomas
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (1)
-
mailinglists@belfin.ch