Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] New worm on the road?

To: "'[email protected]'" <[email protected]>
Subject: RE: [FW1] New worm on the road?
From: "METE EMINAGAOGLU (IT)" <[email protected]>
Date: Thu, 20 Sep 2001 20:23:58 +0300
Cc: "'[email protected]'" <[email protected]>
Sender: [email protected]

Title: RE: [FW1] New worm on the road?

Yes, I think everyone related with networking & security should have been aware till now somehow. (Since, W32/Nimda is so massive, aggressive, and posing many multi-functional different threats... Thanks to all the security vulnerabilities of Microsoft products!!!)

Yes, you can create an http-security URI object. (Similar to the one used for CodeRed warm...)

However, I should warn you that some people continously argue that this solution slows down http service in the FW, or crashes the FW completely... ?? (Although I have never faced such problems...)

I'm still using different http and smtp-security server based rules in my FW. Even the one I' ve denoted below, no performance bottleneck so far...

The solution: (A generic one for W32/Nimda, CodeRed, Sadmind/IIS)

1. Create A new URI Resource (say, Block_http),

Tick both Connection Methods: "Transparent" & "Proxy"
In the URI Match Spec. Type, choose "Wild Cards"

Schemes: HTTP
Method: GET, (you can also tick the other methods, if u'd like...)
Host: *
Path: {*default.ida?*,*cmd.exe?*,*root.exe?*,*dmin.dll,*/x,*readme.exe*}
Query:*

2. Create a new rule on top of all the other http-based rules as;

src: any
dst: any
svc: http --> Block_http
act: DROP

3. Install the policy.

BEST LUCK...

PS:

What' s more, you can also filter incoming or outgoing (or both) mails infected with this virus, by stripping MIME attachments with readme.exe or *.exe types. using FW' s smtp security server...

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Wednesday, September 19, 2001 6:32 AM
To: Patrick Coomans
Cc: [email protected]
Subject: Re: [FW1] New worm on the road?

It's all over the news. The W32/Nimda worm (admin backwards). Feel free to read
all about it. It's caused massive headaches all day today.

http://www.cert.org/advisories/CA-2001-26.html

"Patrick Coomans" <[email protected]> on 09/18/2001 05:35:36 PM

To: [email protected]
cc: (bcc: Harley S. Sanders/BAIS/BAReston)

Subject: [FW1] New worm on the road?

Since this evening I am experiencing massive attacks on HTTP (IIS oriented I
presume) from many different IP addresses.

They all look like:

GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir

HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir

HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0

Is anyone aware that this is some new kind of worm?
Now my FW1 question: can I create a HTTP resource (secure server) that blocks
all requests that e.g. have a .EXE in it ? Or would that slow my FW1's down to
much?

Any other suggestions for good products that can do HTTP content inspection and
that cooperate or can co-exist with fw1 ?

Thanks,
Patrick

Follow-Ups:
- Re: [FW1] New worm on the road?
  - From: Paul Cardon <[email protected]>
- Re: [FW1] New worm on the road?
  - From: "Yves Belle-Isle" <[email protected]>

Prev by Date: Re: [FW1] New worm on the road?
Next by Date: [FW1] fw-1 alert message
Previous by thread: Re: [FW1] New worm on the road?
Next by thread: Re: [FW1] New worm on the road?
Index(es):
- Date
- Thread