First, not to get in another 'list war', you'd get better responses for this from the main TriLUG list.
That said... [EMAIL PROTECTED] [[EMAIL PROTECTED]] wrote: > XX.XX.XX.XXX - - [28/Feb/2002:05:44:58 -0500] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 224 A couple things. That's going to be Nimda or CodeRed, almost certainly. Second, given that this is likely Nimda or CodeRed, you've just posted the IP address of a system that's easily compromised to a public list. Congratulations. > Right now I have a script that reads the log file, and automatically > DROP's the packets from whomever looks like an MTD spreader. This is > little better than the problem though, as it fires up my harddisk every > few minutes. (I'll be happy to share this perl script if anyone wants > to see it. ) Also, by the time I drop them, I've already got 10+ entries in > the log file from that IP, and I will only be blocking future packets > from that IP. In other words... the annoyance has already happend. ( Is > that a word? ) So, you just want the log entries to go away? Check out: http://online.securityfocus.com/archive/75/215203 By using that, your disk is never fired up and you can get rid of the log entries. If you really want to automatically set drop rules, look at: http://www.keyslapper.org/Nimda/ And modify it so that rather than sending an e-mail, it adds a new drop entry. > Is it possible to have the firewall ( iptables v1.2.1a on RH7.2 ) > inspect the contents of each packet for signatures of MTD's? There is a patch to netfilter that allows for string matching, but it's really not very robust. If you want to look into it, you'll need to fetch the latest netfilter from: http://www.netfilter.org/downloads.html and compile with string matching support. You could also look at Hogwash (http://hogwash.sourceforge.net/) which can do blocking based on packet contents. It's based on snort, but snort does not do any blocking (and will just create more data to sift through, if you don't care). > If not, is there a way to have apache log it's ouput to both a file and > a program? That way, my perl script would only cause disk activity by > writing a new rule to the firewall. Look at the rewrite rules from the securityfocus link, or the Nimda mod_perl module (linked above). > My apologies if this does not fit the usual forum topic parameters. Again, you can post here all ya want, but you'll get -better- answers on the main trilug discuss list. Mike -- "Let the power of Ponch compel you! Let the power of Ponch compel you!" -- Zorak on Space Ghost GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1 GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
msg00005/pgp00000.pgp
Description: PGP signature
