[PLUG] Nimda virus

LeRoy Cressy on Thu, 21 Mar 2002 00:20:57 +0100

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Nimda virus

From: LeRoy Cressy <leroy@lrcressy.com>

To: Plug <plug@lists.phillylinux.org>

Subject: [PLUG] Nimda virus

Date: Wed, 20 Mar 2002 18:06:46 -0500

Organization: L & R Associates

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

Those who are running apache may have seen evidence of the nimda virus. There is currently a way to block the virus at the firewall before it gets to your web server. If you are using Debian, then you need to grab the iptables source and compile part of the patch-o-matic code yourself. Especially the strings. Edit the Make file to include the path to your kernel source As far as the install paths are concerned leave them alone since you probably are not working on the firewall box, but will scp the files and a new kernel over to the firewall. make patch-o-matic #to make the various patches and stuff used by iptables and patch the kernel source Put the following lines in your firewall script # Block Port Scans iptables -A block -m psd -j LOG --log-prefix "Port Scan " iptables -A block -m psd -j DROP iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED \ -m string --string "default.ida" -j LOG --log-prefix "CodeRed virus " iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED \ -m string --string "default.ida" -j DROP iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED \ -m string --string "root.exe" -j LOG --log-prefix "Nimda virus " iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED \ -m string --string "root.exe" -j DROP iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED \ -m string --string "cmd.exe" -j LOG --log-prefix "Nimda virus " iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED \ -m string --string "cmd.exe" -j DROP iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED \ -m string --string "x.ida" -j LOG --log-prefix "Nimda virus " iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED \ -m string --string "x.ida" -j DROP if you are doing port forwarding you need to also put this in the PREROUTING of the nat table. -- Rev. LeRoy D. Cressy mailto:lcressy@telocity.com /\_/\ http://www.netaxs.com/~ldc ( o.o ) Phone: 215-535-4037 > ^ < Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Prev by Date: Re: [PLUG] ldapery

Next by Date: Re: [PLUG] ssh vs. ssh2

Previous by thread: Re: [PLUG] ldapery

Next by thread: [PLUG] Crossover plugin

Index(es):

Date

Thread