Shorewall users - Feb 2003 - block codeRed and nimda

hi

is there a possibility to block nimda and coreRed attacks?

greetz

aglaab

--On Wednesday, February 05, 2003 8:41 PM +0100 aglaab@gmx.de wrote:
>
> hi
>
> is there a possibility to block nimda and coreRed attacks?
>
No -- you want an application-layer proxy to do that type of filtering.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Nimda and Code Red II infects IIS webservers, i believe that a firewall
doesn''t stop this.

The "Code Red II" worm can be identified on victim machines by the
presence of the following string in IIS log files:

        GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
        u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
        0%u531b%u53ff%u0078%u0000%u00=a
The presence of this string in a log file does not neccessarily indicate
compromise, it only implies that a "Code Red II" worm attempted to
infect the machine.

The scanning activity of the Nimda worm produces the following log
entries for any web server listing on port 80/tcp:
GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
Note: The first four entries in these sample logs denote attempts to
connect to the backdoor left by Code Red II, while the remaining log
entries are examples of exploit attempts for the Directory Traversal
vulnerability.

The solution is to patch Microsoft IIS 4.0 / 5.0, it''s enough

More informations on : http://www.cert.org/nav/index.html



Le mer 05/02/2003 ? 20:41, aglaab@gmx.de a ?crit :
> hi
> 
> is there a possibility to block nimda and coreRed attacks?
> 
> greetz
> 
> aglaab
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
-- 
VETSEL Patrice

Forum d''aide DEBIAN Francophone sur : http://kagou.tuxfamily.org/

On Wed, 2003-02-05 at 11:41, aglaab@gmx.de wrote:
> is there a possibility to block nimda and coreRed attacks?
aglaab,
LaBrea may help. It wont block them, but it''ll slow them down
considerably.

    LaBrea - The Tarpit
    http://www.hackbusters.net/LaBrea/

-- 
Mike Noyes <mhnoyes @ users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/