From owner-freebsd-security Wed Sep 19 4:27:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id C318737B419 for ; Wed, 19 Sep 2001 04:27:13 -0700 (PDT) Received: (qmail 16409 invoked from network); 19 Sep 2001 11:27:11 -0000 Received: from ear.nlink.com.br (HELO ear.com.br) (200.249.196.67) by mirage.nlink.com.br with SMTP; 19 Sep 2001 11:27:11 -0000 Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.48); 19 Sep 01 08:30:48 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.48); 19 Sep 01 08:29:03 GMT-3 From: "Mario de Oliveira Lobo Neto" Organization: American School of Recife - Brazil To: Brett Glass Date: Wed, 19 Sep 2001 08:28:00 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: NIMDA Virus Reply-To: mlobo@ear.com.br Cc: freebsd-security@FreeBSD.ORG Message-ID: <3BA8570F.8114.55B69A5@localhost> In-reply-to: <4.3.2.7.2.20010918153412.0493bc10@localhost> References: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 18 Sep 2001, at 15:39, Brett Glass wrote: > We just put a log monitor on the Apache server, and are firewalling anything > that sends a request with "cmd.exe" in it. Quite effective. > > --Brett Brett; Forgive my ignorance, but when you say "firewalling", you mean in Apache or in ipfw? if you mean ipfw, how did you build the ipfw rule to reject those "GET cmd.exe" ? They are not causing any harm to our novell enterprise server but the logs are growing fast. Thanks, Mario Lobo - *** Mario Lobo - mlobo@ear.com.br *** American School of Recife To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message