RE: "Nimda"?
From: Doug Harold (r0o5t4R@netscape.net)Date: 02/27/02
- Previous message: Peter Mueller: "RE: [Whitehat] "Nimda"?"
- Maybe in reply to: Bradley, Tony: ""Nimda"?"
- Next in thread: Joshua_Hiller@aeanet.org: "Re: "Nimda"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Feb 2002 11:26:21 -0500 From: r0o5t4R@netscape.net (Doug Harold) To: tony.bradley@eds.com ("Bradley, Tony"), incidents@securityfocus.com ("'incidents@securityfocus.com'")
Some links that might help...
http://www.enteract.com/~lspitz/linux.html
http://www.psionic.com/products/portsentry.html
http://www.oit.ucsb.edu/~eta/swatch/
And a must have...
http://www.sansstore.org/Merchant/linux.htm
(Always have to plug SANS...)
:-)
Hope these help,
/signed/
Doug Harold, GCIA
Captain
Canadian NORAD Region
Information Protection
"Bradley, Tony" <tony.bradley@eds.com> wrote:
>Not to start a Microsoft vs. Open Source debate regarding security, but for
>me personally my Microsoft systems are more secure simply because I am more
>familiar with the operating system(s) and the software and I have more
>security experience on that platform.
>
>I recently built a Redhat Linux 7.0 server to use as a web server. I am
>quite sure it is entirely insecure because I barely know enough to get
>around in Linux, much less how to configure and secure it. I installed
>Apache web server and after much trial and error at least got my sites to
>work and got the CGI scripts to work.
>
>However, I have noticed in my logs that I have about 1000 "Nimda"-like hits
>a day. I have cut & paste a portion of my log below.
>
>[26/Feb/2002:18:37:19 -0500] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
>[26/Feb/2002:18:37:19 -0500] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
>[26/Feb/2002:18:37:20 -0500] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
>[26/Feb/2002:18:37:20 -0500] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
>[26/Feb/2002:18:37:20 -0500] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
>[26/Feb/2002:18:37:20 -0500] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
>
>First of all, since these hits are trying to access Windows directories do
>they pose any threat to my Linux machine? Second of all, is there any way
>for me to block these types of hits from my server?
>
>If anyone can recommend a good book or resource for hardening my Linux
>server and / or any good IDS, antivirus and other such security tools that
>would be appreciated as well.
>
>Thanks-
>
>Tony Bradley, MCSE, MCSA, MCP, A+
>Threat & Vulnerability Monitor
>EDS GM Global Information Protection Programme
>Electronic Data Systems
>
>"We find comfort among those who agree with us-growth among those who
>don't." ~ Frank A. Clark ~
>
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
>
--__________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Peter Mueller: "RE: [Whitehat] "Nimda"?"
- Maybe in reply to: Bradley, Tony: ""Nimda"?"
- Next in thread: Joshua_Hiller@aeanet.org: "Re: "Nimda"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
