Re: Virus Attack and how to tackle it? [7:44936]

2002-05-24 Thread [EMAIL PROTECTED] 

Hi,

This is a trace of Nimda and code Red wormFirst thing you can do is Run
a Nimda/code Red scanner in your network and then Apply IIS patch for all
the affected Microsoft  Server.Also you can secure your Network perimeter
by configuring NBAR on cisco routers or if you have  a content switch you
can try filtering Nimda on that...or if you have an IDS,you can configure
shunning the source.

Kind Regards /Thangavel

186K
Reading,Brkshire
Direct No   -0118 9064259
Mobile No  -07796292416
Post code: RG16LH
www.186k.co.uk

--
The greatest glory in living lies not in never falling,
 but in rising every time we fall .
 -- Nelson Mandela




   
   
a.
ahmad
  
cc:
Sent by: Fax
to:
nobody@groupsSubject: Virus Attack and how
to tackle it? [7:44936]
   
tudy.com
   
   
   
   
   
24/05/2002
   
08:16
   
Please
respond
to
a.
ahmad
   
   
   
   




Dear Members,

1-We are getting Virus attack message on our proxy(Squid)Machine not only
from our own IP Pool but also from outside, Please guide how to tackle it
as
it is constantly chocking our Bandwidth. i.e. one of the virus attack
message we are getting on our proxy(squid) machine is as under:-

106226.976 5 202.192.204.130 TCP_Miss/503 1210 Get
http://www/_mem_bin/..%255c../..%255../..%255../winnt/system32/cmd.exe? -
DIRECT/www -

106228.156 6 202.192.204.130 TCP_Miss/503 1266 Get
http://www/msadc/..%255c../..%255c../..%255c../..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?
 - DIRECT/www -

106229.324 3 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -

106230.625 23 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -

106231.841 8 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c0%af../winnt/system32/cmd.exe? - DIRECT/www -

...etc

etc

2- we want to trace that which IP's are utilizing our maximum bandwidtth so
that we can limit that trafiic accordingly in order to get Maximum
efficiency?

Thank you in advance!
Ahmad
**
This e-mail is from 186k Ltd and is intended only for the 
addressee named above. As this e-mail may contain confidential
or priveleged information, if you are not the named addressee or
the person responsible for delivering the message to the named 
addressee, please advise the sender by return e-mail. The
contents should not be disclosed to any other person nor copies
taken.
186k Ltd is a Lattice Group company, registered in England 
 Wales No. 3751494 Registered Office 130 Jermyn Street 
London SW1Y 4UR
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44938t=44936
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Virus Attack and how to tackle it? [7:44936]

2002-05-24 Thread Alfredo Pulido 

You look this page from Cisco.

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml


I hope this help.

--
--
 Alfredo Pulido   [EMAIL PROTECTED]
CCDA
 Dept. Sistemas, IdecNet S.A.
 Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria,
 Las Palmas // SPAIN
 Tel: +34 828 111 000   Fax: +34 828 111 112
 http://www.idecnet.com/
--
a. ahmad  escribis en el mensaje
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Dear Members,

 1-We are getting Virus attack message on our proxy(Squid)Machine not only
 from our own IP Pool but also from outside, Please guide how to tackle it
as
 it is constantly chocking our Bandwidth. i.e. one of the virus attack
 message we are getting on our proxy(squid) machine is as under:-

 106226.976 5 202.192.204.130 TCP_Miss/503 1210 Get
 http://www/_mem_bin/..%255c../..%255../..%255../winnt/system32/cmd.exe? -
 DIRECT/www -

 106228.156 6 202.192.204.130 TCP_Miss/503 1266 Get

http://www/msadc/..%255c../..%255c../..%255c../..%c1%1c../..%c1%1c../..%c1%1
c../winnt/system32/cmd.exe? - DIRECT/www -

 106229.324 3 202.192.204.130 TCP_Miss/503 1170 Get
 http://www/Scripts/..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -

 106230.625 23 202.192.204.130 TCP_Miss/503 1170 Get
 http://www/Scripts/..%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -

 106231.841 8 202.192.204.130 TCP_Miss/503 1170 Get
 http://www/Scripts/..%c0%af../winnt/system32/cmd.exe? - DIRECT/www -



...etc etc

 2- we want to trace that which IP's are utilizing our maximum bandwidtth
so
 that we can limit that trafiic accordingly in order to get Maximum
efficiency?

 Thank you in advance!
 Ahmad




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44939t=44936
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]