Re: cmd.exe root.exe


Subject: Re: cmd.exe root.exe
From: Jim Courtney (courtney@ieee.org)
Date: Tue Apr 09 2002 - 17:10:30 AKDT


I've been using the 3rd-party 'string match' module for iptables.
Now all the Nimda garbage is in my firewall log instead of my web server log...

#Define NIMDA rule
$IPTABLES -F NIMDA
$IPTABLES -N NIMDA
$IPTABLES -A NIMDA -j LOG --log-level info --log-prefix 'nimda:'
$IPTABLES -A NIMDA -j DROP

#Drop and Log NIMDA requests
#Any request to port 80 for a .exe file gets dropped
$IPTABLES -A INPUT -m tcp -p tcp --dport 80 -j NIMDA -m string --string ".exe?"

On Tuesday 09 April 2002 04:44 pm, James Zuelow wrote:
> ----- Original Message -----
> From: "Chris Hamilton" <chris@digitalalaska.com>
> To: <aklug@aklug.org>
> Sent: Tuesday, April 09, 2002 3:45 PM
> Subject: cmd.exe root.exe
>
> > Does anyone have anything that could help me block or redirect cmd.exe
> > and root.exe requests?
> >
> > I'm using apache 1.3.2
> >
> > Thanks.
> >
> > Chris.
>
> Here's a link for a firewall script (it assumes you're running Apache on a
> host with ipchains, I don't see why it could not be modified for
> iptables/ipfilter/pf/whathaveyou).
>
> http://www.linuxgazette.com/issue72/misc/tips/block-nimda.sh.txt
>
> a short description is at:
>
> http://www.linuxgazette.com/issue72/lg_tips72.html#tips/17
>
> Cheers,
>
> James
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Tue Apr 09 2002 - 16:57:39 AKDT