From owner-freebsd-security  Wed Sep 19 15:47:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from deborah.paradise.net.nz (deborah.paradise.net.nz [203.96.152.32])
	by hub.freebsd.org (Postfix) with ESMTP id 325DE37B40D
	for <security@FreeBSD.ORG>; Wed, 19 Sep 2001 15:47:24 -0700 (PDT)
Received: from ss11232 (203-79-72-40.cable.paradise.net.nz [203.79.72.40])
	by deborah.paradise.net.nz (Postfix) with ESMTP
	id B30D71FA176; Thu, 20 Sep 2001 10:47:21 +1200 (NZST)
From: rshea@opendoor.co.nz
To: security@FreeBSD.ORG
Date: Thu, 20 Sep 2001 10:46:41 +1200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: NIMDA Virus
Cc: brett@lariat.org
Message-ID: <3BA9C911.18530.49BAA5C@localhost>
X-mailer: Pegasus Mail for Win32 (v3.12c)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> We just put a log monitor on the Apache server, and are firewalling
> anything that sends a request with "cmd.exe" in it. Quite effective. 

I'd like to do this too. I use IPFW. Can anyone point me at a 'how-to' ? I 
thought IPFW rules could only be based on IP address or service type ?

thanks

richard shea.



*****************************************************
Open Door Ltd
PO Box 119-46
Wellington, NZ

PH +64 4 384 7639
FX +64 4 384 7672
*****************************************************

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message