Re: "Nimda"?

Date: 02/27/02

To: "Bradley, Tony" <>
Date: Tue, 26 Feb 2002 19:05:26 -0800

First, the OS hardening issue ...

I'm pretty much an IIS guy myself, but not so much that I allow
that to jeopardize my chances to thump away at a Redhat box on occasion...

I have used Apache a little, on Redhat just because that's the linux flavor
I'm most comfortable with.
(Slackware has groovy games. Caldera is the world's easiest install. But I
still like Redhat)

Last hacking / security course I went thru had us bastionizing a forward
deployed Redhat mailserver.
The application we used to do most of it was called, "Bastille". I'm
mentioning it,
hoping someone might respond with a link, I alas... do not have one.

Bastille did an excellent job of performing around 90% of the "big ones"
that have
to be done on a linux box, and pointed out lots of things, that I, as an
IIS guy,
completely forget about. Check it out if ya can find it.

There are also a couple of really good books out, by the same crew that did
(I think - the covers are the same at least.), I saw one today that was
If I was to buy one, that would be it. (I also use the standard, "RedHat 7
Unleashed" and
"The Complete Ref."), but they don't spend more than a brief moment on true

As to the Nimda idiocy...

In my opinion, the biggest impact this has on your linux box is the traffic
1000 hits a day isn't that bad in the grand scheme of things,
(Depending on your connection of course), so I treat this as something that
I manage.
I'm sure there are other possible issues...?

Even with a properly secured IIS install, I find myself perusing logs, or
in my case,
tracking applications I've written so that I can sorta of keep an eye on
the # of
requests, and the originating IP's. 1000 hits a day is a relatively busy
one when it
comes to Nimda strikes for my site, but I've easily tripled that every now
and again...
biggest thing it did was generate traffic and logs.

For my site, repeat offenders wind up in "Web Jail", where they are told
how to get
cleaned up, and how to get off of the ban list. Anything they request from
the web server
takes them there. (The idea being, there's the *slighest* chance this
person may
actually *use* my site and figure out there's a problem... Yeah I know, I'm
a dreamer...)

If Web Jail says that they're still doing it constantly, I ban them at the
firewall / router.
It's arguable as to where the traffic degradation hit is most felt, and I'm
not going to allow
the firewall rules list to get *too* lengthy, but this does resolve the
enormous management issue these repeat offenders tend to be. I've also
noticed that about
once a month I can remove the oldest few from the list, and very rarely are
they returning. (Still
is a management issue for tho.) So maybe they *are* slowly figuring it

I'd love to notify all of these dork's ISPs, etc., and have them properly
Unfortunately, I like the rest of us, am busy enough just watching my side
of the playground.

My um... sumpthing02

Joshua Hiller

                      "Bradley, Tony"
                      <tony.bradley@eds To: "''" <>
                      .com> cc:
                                               Subject: "Nimda"?
                      02/26/02 04:51 PM

Not to start a Microsoft vs. Open Source debate regarding security, but for
me personally my Microsoft systems are more secure simply because I am more
familiar with the operating system(s) and the software and I have more
security experience on that platform.

I recently built a Redhat Linux 7.0 server to use as a web server. I am
quite sure it is entirely insecure because I barely know enough to get
around in Linux, much less how to configure and secure it. I installed
Apache web server and after much trial and error at least got my sites to
work and got the CGI scripts to work.

However, I have noticed in my logs that I have about 1000 "Nimda"-like hits
a day. I have cut & paste a portion of my log below.

[26/Feb/2002:18:37:19 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[26/Feb/2002:18:37:19 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[26/Feb/2002:18:37:20 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[26/Feb/2002:18:37:20 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
[26/Feb/2002:18:37:20 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
[26/Feb/2002:18:37:20 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294

First of all, since these hits are trying to access Windows directories do
they pose any threat to my Linux machine? Second of all, is there any way
for me to block these types of hits from my server?

If anyone can recommend a good book or resource for hardening my Linux
server and / or any good IDS, antivirus and other such security tools that
would be appreciated as well.


Tony Bradley, MCSE, MCSA, MCP, A+
Threat & Vulnerability Monitor
EDS GM Global Information Protection Programme
Electronic Data Systems

"We find comfort among those who agree with us-growth among those who
don't." ~ Frank A. Clark ~


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: