Security Incidents mailing list archives
RE: nimda tries to send mail after reboot
From: "Andrew Mulholland" <Andrew.Mulholland () biznet-solutions com>
Date: Wed, 19 Sep 2001 18:24:39 +0100
People might want to try the following configuration for their cisco routers. AFAIK it requires IOS 12.1(5)T or later, but it should block most of it routerside - tho this is unlikely to stop your bandwidth getting hammered - unless you can get your upstream to do it... ---> ! ip cef ! class-map match-any code_red match protocol http url "*.ida*" match protocol http url "*.exe*" ! ! policy-map tag_code_red class code_red set ip dscp 1 ! ! interface <int facing isp> service-policy input tag_code_red ! interface <int facing your network> access-group 105 out ! access-list 105 deny ip any any dscp 1 access-list 105 permit ip any any <---- thanks Andrew
-----Original Message----- From: Brett Glass [mailto:brett () lariat org] Sent: 19 September 2001 18:14 To: jforster () rapidnet com Cc: incidents () securityfocus com Subject: Re: nimda tries to send mail after reboot Messages bearing the worm are starting to trickle in, slowly. It may be that the worm is designed to start e-mailing only after the infection is a certain number of hours old. Sadly, the copies of the worm we're receiving are coming from companies whose employees we'd expect to know better than to leave machines unprotected -- such as V-One and SCO. I agree that it will be a very long week. None of our machines is susceptible to the worm, but our backbone feed is getting hammered. I wish we had a firewall under our control at our upstream provider. --Brett Glass At 11:08 AM 9/19/2001, jforster () rapidnet com wrote:I got a few copies of this worm (via e-mail) this afternoon. Sadly, someone else in the office did as well (or hit aninfected site).It's going to be a long week....-------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nimda tries to send mail after reboot John Q. Public (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- Re: nimda tries to send mail after reboot Paul Seaman (Sep 18)
- Message not available
- Re: nimda tries to send mail after reboot Brett Glass (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- RE: nimda tries to send mail after reboot Don Weber (Sep 18)
- RE: nimda tries to send mail after reboot Jim Forster (Sep 18)
- Re: nimda tries to send mail after reboot Brett Glass (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- <Possible follow-ups>
- Re: nimda tries to send mail after reboot Brett Glass (Sep 19)
- RE: nimda tries to send mail after reboot Lists (Sep 19)
- Re: nimda tries to send mail after reboot Michael H. Warfield (Sep 19)
- RE: nimda tries to send mail after reboot Andrew Mulholland (Sep 19)