Hi All, The uni uses IDS and snort to packet sniff.
Snort already contains rules for the common exploits that nmidA uses. The URL traversal exploit has been known and patches over a year a go. So you can set it up to break the connection when the alerts are triggered. Some possible alert setups: alert tcp any any -> any 80 (content:"cmd.exe";msg:"cmd.exe exploit";) or to check smtp alert tcp any any -> any 25 (content:"readme.exe";msg:"nmidA mail";) Hope that helps Mahesh > can this be block? > > I am getting really ****** off with it... it is just > filling up the log > files.. and going throw the C Class here hiting all > the web servers... at > least we are running Linux :)) > > Johnno > > ----- Original Message ----- > From: "Mahesh De Silva" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, 28 September 2001 10:36 > Subject: Re: Apache Log -Its Nimda > > > > Hi All > > > > These logs are similar to what the uni's log files > > looked like after it got attacked by the nimda > virus. > > > > The attcking machines is looking for back door > left by > > the code red virus. Its looking for a cmd.exe or a > > root.exe > > > > Its most likely not "script kiddie" but the virus > > itself trying to replicate itself. > > > > Mahesh > > > > > > > Johnno writes: > > > > > > > I am getting alot of this in my access log.. > what > > > is it ?? someone trying to > > > > hack there way in or just internet noise?? > > > > > > Looks like someone's trying to use a buffer > overflow > > > exploit of some kind. One > > > that's designed for MS software by the look of > it. > > > > > > I just grepped my own Apache log for > "default.ida" > > > and got 654 entries of that > > > big line full of XXX's. It's amazing... I've > been > > > getting them every few minutes > > > in the evenings, from all sorts of different > > > addresses. First entry was on 2nd > > > August, most recent was last night, from > > > 210-55-192-210.static- > > > dialup.xtra.co.nz and its trying to get a > directory > > > listing (it tried about ten zillion > > > times). I think I'll start blocking a few ports > > > from outside tonight. > > > > > > All the requests are identical so its either a > > > script-kiddie exploit or a virus > > > trying to propagate. > > > > > > Cheers, > > > > > > > > > - Dave > > > > > > David A. Mann, B.E. (Elec) > > > http://www.digistar.com/~dmann/ > > > > > > "Why is it that if an adult behaves like a child > > > they lock him up, > > > while children are allowed to run free on the > > > streets?" -- Garfield > > > > ===== > > For Linux CD's check out > http://www.xsolutions.co.nz/linux > > > > http://travel.yahoo.com.au - Yahoo! Travel > > - Got Itchy feet? Get inspired! > ===== For Linux CD's check out http://www.xsolutions.co.nz/linux http://travel.yahoo.com.au - Yahoo! Travel - Got Itchy feet? Get inspired!
