Security Incidents mailing list archives
Using NBAR to stop your users from geting Nimda from a web page
From: "Antonio Vasconcelos" <vasco () convex pt>
Date: Sat, 22 Sep 2001 04:59:07 +0100
If you have implemented NBAR in your cisco routers to stop CodeRed, you can add a line that stops your users getting infected with Nimda when browsing an infected server using IE. (You can learn about setting up NBAR in http://iponeverything.net/CodeRed.html )
Inside the class-map match-any {your_map_name} just add the line match protocol http url "*.eml*"I don't know if there is any legit use to receiving .EML files in http, if there is, use "*readme.eml*" instead.
I'm not 100% sure if this works, my anti-virus (F-Secure) fires up anyway, but I may be because it is scanning the page and finding the javascrip fragment. I don't really know. However, with that line in place I can't use wget (from a linux machine) to get the readme.eml file from an infected server it justs times out, without the line, I got the file all right.
(by the way, getting readme.eml with wget gives you the exact time when the server was infected)
[with] -------------------------------------------------------------------------------- ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml ||| DEBUG output created by Wget 1.6 on linux-gnu. |||||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath readme.eml -> dir -> file readme.eml -> ndir
||| newpath: /readme.eml ||| --04:37:24-- http://AA.BB.CC.DD/readme.eml ||| => `readme.eml' ||| Connecting to AA.BB.CC.DD:80... Created fd 3. ||| connected! ||| ---request begin--- ||| GET /readme.eml HTTP/1.0 ||| User-Agent: Wget/1.6 ||| Host: AA.BB.CC.DD ||| Accept: */* ||| ||| ---request end--- ||| HTTP request sent, awaiting response... ||| Read error (Connection timed out) in headers. ||| Closing fd 3 ||| Giving up. -------------------------------------------------------------------------------- [without] -------------------------------------------------------------------------------- ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml ||| DEBUG output created by Wget 1.6 on linux-gnu. |||||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath readme.eml -> dir -> file readme.eml -> ndir
||| newpath: /readme.eml ||| --04:42:42-- http://AA.BB.CC.DD/readme.eml ||| => `readme.eml' ||| Connecting to AA.BB.CC.DD:80... Created fd 3. ||| connected! ||| ---request begin--- ||| GET /readme.eml HTTP/1.0 ||| User-Agent: Wget/1.6 ||| Host: AA.BB.CC.DD ||| Accept: */* ||| ||| ---request end--- ||| HTTP request sent, awaiting response... HTTP/1.1 200 OK ||| Server: Microsoft-IIS/5.0 ||| Date: Sat, 22 Sep 2001 03:35:56 GMT ||| Content-Type: message/rfc822 ||| Accept-Ranges: bytes ||| Last-Modified: Tue, 18 Sep 2001 13:52:51 GMT ||| ETag: "da9d10354940c11:89a" ||| Content-Length: 79225 ||| ||| ||| Length: 79,225 [message/rfc822] ||| ||| 0K -> .......... .......... .......... .......... .......... [ 64%] ||| 50K -> .......... .......... ....... [100%] ||| ||| Closing fd 3 ||| 04:42:48 (14.22 KB/s) - `readme.eml' saved [79225/79225] -------------------------------------------------------------------------------- Hope this helps... Good luck. ---------- António Vasconcelos - ICQ #109994473 - Senior Network Management Support CONVEX Portugal, Lda - T: +351-21-422-9200 F: +351-21-421-3787 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Using NBAR to stop your users from geting Nimda from a web page Antonio Vasconcelos (Sep 22)
- Re: Using NBAR to stop your users from geting Nimda from a web page Trevor (Sep 23)
- Re: Using NBAR to stop your users from geting Nimda from a web page Jeff Kell (Sep 24)
- Message not available
- Re: Using NBAR to stop your users from geting Nimda from a web page Antonio Vasconcelos (Sep 24)
- Re: Using NBAR to stop your users from geting Nimda from a web page Trevor (Sep 23)