Security Incidents mailing list archives

Re: "Nimda"?

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Tue, 26 Feb 2002 18:30:32 -0800 (PST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 26 Feb 2002, Bradley, Tony wrote:

However, I have noticed in my logs that I have about 1000 "Nimda"-like
hits a day. I have cut & paste a portion of my log below. 
<snip> 
First of all, since these hits are trying to access Windows directories do
they pose any threat to my Linux machine? Second of all, is there any way
for me to block these types of hits from my server?


        No, they pose no threat to your system.  And no, there's no way to
block them short of blocking the IPs themselves.

        I've found that the best defense is a good offense, so I have an
automated notification facility in place that acts as a decoy.  When
either Code Red or Nimda hit my servers, the owner of the netblock is
immediately notified that their systems are being used as an attack
platform against other machines.  That tends to keep things like that down
to a dull roar (unless you're dealing with negligent admins who just don't
give a whoop).

If anyone can recommend a good book or resource for hardening my Linux
server and / or any good IDS, antivirus and other such security tools
that would be appreciated as well.


        I recommend any book by O'Reilly (http://security.oreilly.com/).
Go there and enter "linux security" and restrict your search to books.
Plenty of good reading there.

        I also recommend http://www.linux-firewall-tools.com/ as a good
starting place.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `The armed are citizens.  The unarmed are subjects.'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iEYEARECAAYFAjx8RMwACgkQGI2IHblM+8E56gCfQyNcYO3wXXJKmJGd7gWrGi71
7KkAn3lkVRfqmv2+AjbLfb30N9PaSdoi
=opOn
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

"Nimda"? Bradley, Tony (Feb 26)
- Re: "Nimda"? Eric Brandwine (Feb 27)
- Re: "Nimda"? Devdas Bhagat (Feb 27)
- Re: "Nimda"? Jay D. Dyson (Feb 27)
  - Re: "Nimda"? Greg A. Woods (Feb 27)
- <Possible follow-ups>
- RE: "Nimda"? Doug Harold (Feb 27)
- Re: "Nimda"? Joshua_Hiller (Feb 27)
- Re: "Nimda"? John . Swarbrick (Feb 27)
- RE: "Nimda"? McCammon, Keith (Feb 27)
- Re: "Nimda"? Greg Williamson (Feb 28)
  - Re: "Nimda"? Jay D. Dyson (Feb 28)
  - Question sherman.hand (Feb 28)
    - Re: Question Valdis . Kletnieks (Feb 28)
  - Re: "Nimda"? Nick FitzGerald (Feb 28)

(Thread continues...)