Re: "Nimda"?

[Eric Brandwine <ericb () UU NET>]

> > > > > "bt" == Bradley, Tony <tony.bradley () eds com> writes:

bt> However, I have noticed in my logs that I have about 1000 "Nimda"-like hits
bt> a day. I have cut & paste a portion of my log below. 

bt> [26/Feb/2002:18:37:19 -0500] "GET
bt> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
bt> [26/Feb/2002:18:37:19 -0500] "GET
bt> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
bt> [26/Feb/2002:18:37:20 -0500] "GET
bt> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
bt> [26/Feb/2002:18:37:20 -0500] "GET
bt> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
bt> [26/Feb/2002:18:37:20 -0500] "GET
bt> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
bt> [26/Feb/2002:18:37:20 -0500] "GET
bt> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294

bt> First of all, since these hits are trying to access Windows directories do
bt> they pose any threat to my Linux machine? Second of all, is there any way
bt> for me to block these types of hits from my server?

No threat at all.  Read 'em and laugh.  There's no way to stop the
requests coming in, as you have no idea where to expect them from.
You can blackhole or deny hosts as you find their IPs, but I get hit
from all over the net, all day, every day.  It's not worth keeping the
list up-to-date, as it's harmless.

Right now, they're going 404 Not Found, which is fine.  If you want
to, there are various things you can do to slow down the scanners,
make them have a harder time walking past your box, but I just ignore
them.  If you feel really helpful, track down the owners of the
offending netblocks and contact them.  This gets old quickly.

bt> If anyone can recommend a good book or resource for hardening my Linux
bt> server and / or any good IDS, antivirus and other such security tools that
bt> would be appreciated as well.

IDS: Snort, hands down.  http://www.snort.org

Anitvirus: There's not much in the way of Linux/UNIX viruses yet.
There are a couple of reference implementations, and white papers on
how to infect ELF binaries, but they've not really made it into the
wild yet.  Host based integrity checking: http://www.tripwire.org/

As for how to learn and lock it down, a google search on 'securing
linux' will get you some excellent links.

ericb
-- 
Eric Brandwine     |  Loyalty to the Country always; loyalty to the government
UUNetwork Security |  when it deserves it.
ericb () uu net       |
+1 703 886 6038    |      - Mark Twain
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com