Unidentified subject!
Hello,
Everyday in my site many IP's point to my httpd server NIMDA attacking it...
I would like to block or DROP this packages but they go to port 80 which of
course I cant block totally.
Anyone knows if there is a special rule or chain to block this?
The attacks in my apache access log look like this:
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:44:57 +0100] "GET
/MSADC/root.exe?/c+dir HTTP/1.0
" 404 13936 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:01 +0100] "GET
/c/winnt/system32/cmd.exe?/c+di
r HTTP/1.0" 404 13966 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:06 +0100] "GET
/d/winnt/system32/cmd.exe?/c+di
r HTTP/1.0" 404 13966 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:11 +0100] "GET
/scripts/..%255c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0" 404 14008 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:15 +0100] "GET
/_vti_bin/..%255c../..%255c../.
.%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 14059 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:20 +0100] "GET
/_mem_bin/..%255c../..%255c../.
.%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 14059 "-" "-"
-daniel
http://www.debian-gnu.com
_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger:
http://messenger.microsoft.com/es
Reply to: