"Nimda"?

From: Bradley, Tony (tony.bradley@eds.com)
Date: 02/27/02


From: "Bradley, Tony" <tony.bradley@eds.com>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Tue, 26 Feb 2002 19:51:16 -0500

Not to start a Microsoft vs. Open Source debate regarding security, but for
me personally my Microsoft systems are more secure simply because I am more
familiar with the operating system(s) and the software and I have more
security experience on that platform.

I recently built a Redhat Linux 7.0 server to use as a web server. I am
quite sure it is entirely insecure because I barely know enough to get
around in Linux, much less how to configure and secure it. I installed
Apache web server and after much trial and error at least got my sites to
work and got the CGI scripts to work.

However, I have noticed in my logs that I have about 1000 "Nimda"-like hits
a day. I have cut & paste a portion of my log below.

[26/Feb/2002:18:37:19 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[26/Feb/2002:18:37:19 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[26/Feb/2002:18:37:20 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[26/Feb/2002:18:37:20 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[26/Feb/2002:18:37:20 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
[26/Feb/2002:18:37:20 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294

First of all, since these hits are trying to access Windows directories do
they pose any threat to my Linux machine? Second of all, is there any way
for me to block these types of hits from my server?

If anyone can recommend a good book or resource for hardening my Linux
server and / or any good IDS, antivirus and other such security tools that
would be appreciated as well.

Thanks-

Tony Bradley, MCSE, MCSA, MCP, A+
Threat & Vulnerability Monitor
EDS GM Global Information Protection Programme
Electronic Data Systems

"We find comfort among those who agree with us-growth among those who
don't." ~ Frank A. Clark ~

  

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: write with cURL
    ... It takes time to set up an account for you, process the billing, etc. ... Sorry, my servers are secure. ... Nothing you have told me shows me you know how to lock down a server so that it is secure - other than to use the server's file security. ...
    (alt.php)
  • RE: Ten least secure programs
    ... contrary to the statistics. ... corrected virtually all current and yet to be discovered security issues ... with Linux. ... Subject: Ten least secure programs ...
    (Security-Basics)
  • "An Asp.Net accident waiting to happen" - Draft article
    ... In a time where Security ... in shared hosting environments. ... technologies that allow the creation and deployment of secure ... IIS 6 web server and windows 2003 also provide some tools to deploy ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Word 2007 Missing User Level Securitty - ARRRGGGGHHHH What were they thinking?
    ... People who actually need object-level security should ... you seem to think that the File Server serves files to Jet? ... cannot be made secure .. ... record-based network database system. ...
    (microsoft.public.access.security)
  • Re: Ten least secure programs
    ... Subject: Ten least secure programs ... only someone that's hard up to bash Linux users would assume this. ... > corrected virtually all current and yet to be discovered security issues ...
    (Security-Basics)