RE: cmd.exe root.exe

Subject: RE: cmd.exe root.exe
From: Robert Swift (bswift@customcpu.com)
Date: Tue Apr 09 2002 - 19:18:19 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Nathan Fortner: "Fonts!"
• Previous message: William F. Fulton: "FW: Linux Support From Panda Software"
• In reply to: Jim Courtney: "Re: cmd.exe root.exe"
• Next in thread: civileme: "Re: cmd.exe root.exe"
• Reply: Robert Swift: "RE: cmd.exe root.exe"
• Reply: Robert Swift: "RE: cmd.exe root.exe"

Aside from the annoyance and the waste of bandwidth, are those of you who
have servers that are being deluged with the nimda or other attempted
exploits having any success reporting these incidents to your respective
ISP's. I have been running a web server for awhile and repeatedly forward my
logs to my ISP security people. I'm just wondering how many of us do more
than just raise shields ( so to speak )?

Bob Swift

-----Original Message-----
From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]On Behalf Of
Jim Courtney
Sent: Tuesday, April 09, 2002 5:11 PM
To: Chris Hamilton; aklug@aklug.org
Subject: Re: cmd.exe root.exe

I've been using the 3rd-party 'string match' module for iptables.
Now all the Nimda garbage is in my firewall log instead of my web server
log...

#Define NIMDA rule
$IPTABLES -F NIMDA
$IPTABLES -N NIMDA
$IPTABLES -A NIMDA -j LOG --log-level info --log-prefix 'nimda:'
$IPTABLES -A NIMDA -j DROP

#Drop and Log NIMDA requests
#Any request to port 80 for a .exe file gets dropped
$IPTABLES -A INPUT -m tcp -p tcp --dport 80 -j NIMDA -m string --string
".exe?"

On Tuesday 09 April 2002 04:44 pm, James Zuelow wrote:
> ----- Original Message -----
> From: "Chris Hamilton" <chris@digitalalaska.com>
> To: <aklug@aklug.org>
> Sent: Tuesday, April 09, 2002 3:45 PM
> Subject: cmd.exe root.exe
>
> > Does anyone have anything that could help me block or redirect cmd.exe
> > and root.exe requests?
> >
> > I'm using apache 1.3.2
> >
> > Thanks.
> >
> > Chris.
>
> Here's a link for a firewall script (it assumes you're running Apache on a
> host with ipchains, I don't see why it could not be modified for
> iptables/ipfilter/pf/whathaveyou).
>
> http://www.linuxgazette.com/issue72/misc/tips/block-nimda.sh.txt
>
> a short description is at:
>
> http://www.linuxgazette.com/issue72/lg_tips72.html#tips/17
>
> Cheers,
>
> James
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Nathan Fortner: "Fonts!"
• Previous message: William F. Fulton: "FW: Linux Support From Panda Software"
• In reply to: Jim Courtney: "Re: cmd.exe root.exe"
• Next in thread: civileme: "Re: cmd.exe root.exe"
• Reply: Robert Swift: "RE: cmd.exe root.exe"
• Reply: Robert Swift: "RE: cmd.exe root.exe"

This archive was generated by hypermail 2a23 : Tue Apr 09 2002 - 19:17:52 AKDT