Re: "Nimda"?

From: Eric Brandwine (ericb@UU.NET)
Date: 02/27/02


To: "Bradley, Tony" <tony.bradley@eds.com>
From: Eric Brandwine <ericb@UU.NET>
Date: 27 Feb 2002 03:56:38 +0000


>>>>> "bt" == Bradley, Tony <tony.bradley@eds.com> writes:

bt> However, I have noticed in my logs that I have about 1000 "Nimda"-like hits
bt> a day. I have cut & paste a portion of my log below.

bt> [26/Feb/2002:18:37:19 -0500] "GET
bt> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
bt> [26/Feb/2002:18:37:19 -0500] "GET
bt> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
bt> [26/Feb/2002:18:37:20 -0500] "GET
bt> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
bt> [26/Feb/2002:18:37:20 -0500] "GET
bt> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
bt> [26/Feb/2002:18:37:20 -0500] "GET
bt> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
bt> [26/Feb/2002:18:37:20 -0500] "GET
bt> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294

bt> First of all, since these hits are trying to access Windows directories do
bt> they pose any threat to my Linux machine? Second of all, is there any way
bt> for me to block these types of hits from my server?

No threat at all. Read 'em and laugh. There's no way to stop the
requests coming in, as you have no idea where to expect them from.
You can blackhole or deny hosts as you find their IPs, but I get hit
from all over the net, all day, every day. It's not worth keeping the
list up-to-date, as it's harmless.

Right now, they're going 404 Not Found, which is fine. If you want
to, there are various things you can do to slow down the scanners,
make them have a harder time walking past your box, but I just ignore
them. If you feel really helpful, track down the owners of the
offending netblocks and contact them. This gets old quickly.

bt> If anyone can recommend a good book or resource for hardening my Linux
bt> server and / or any good IDS, antivirus and other such security tools that
bt> would be appreciated as well.

IDS: Snort, hands down. http://www.snort.org

Anitvirus: There's not much in the way of Linux/UNIX viruses yet.
There are a couple of reference implementations, and white papers on
how to infect ELF binaries, but they've not really made it into the
wild yet. Host based integrity checking: http://www.tripwire.org/

As for how to learn and lock it down, a google search on 'securing
linux' will get you some excellent links.

ericb

-- 
Eric Brandwine     |  Loyalty to the Country always; loyalty to the government
UUNetwork Security |  when it deserves it.
ericb@uu.net       |
+1 703 886 6038    |      - Mark Twain
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: "Nimda"?
    ... I have used Apache a little, on Redhat just because that's the linux flavor ... Last hacking / security course I went thru had us bastionizing a forward ... 1000 hits a day isn't that bad in the grand scheme of things, ... I recently built a Redhat Linux 7.0 server to use as a web server. ...
    (Incidents)
  • Re: Anybody using OpenOffice 2.04 (Linux) under Xandros?
    ... Whoa...you get over *36 million* hits ... Yet over 90% use Windows and less than 1% use Linux. ... WMA, and AAC formats. ...
    (comp.sys.laptops)
  • Re: Interesting utilities
    ... 45 hits, some of them relevant-looking. ... Windows has dynamic file indexing since Vista, ... After much searching I found out that actually I have that package ... under linux if you aren't upgrading every 2-3 months the OS nothing ...
    (comp.lang.c)
  • Re: FTP Installation prob.
    ... There are 96 hits and some obviously have no bearing, ... I've found that to be a fairly safe assumption! ... > times I am inclined to assume that I am a lousy driver. ... Linux 2.4.10-4GB ...
    (alt.os.linux.suse)
  • Re: Question about Red Hat Linux Enterprise
    ... If the hits are simply served by not too large files (as opposed ... to complicated computations), or simple database queries, any POS ... computer from a dumpster, with Linux installed, ought to be able ... really buying the support contract. ...
    (comp.os.linux.misc)