Everyday in my site many IP's point to my httpd server NIMDA attacking
it... I would like to block or DROP this packages but they go to port
80 which of course I cant block totally.
Anyone knows if there is a special rule or chain to block this?
The attacks in my apache access log look like this:
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:44:57 +0100]
"GET /MSADC/root.exe?/c+dir HTTP/1.0
" 404 13936 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:01 +0100]
"GET /c/winnt/system32/cmd.exe?/c+di
r HTTP/1.0" 404 13966 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:06 +0100]
"GET /d/winnt/system32/cmd.exe?/c+di
r HTTP/1.0" 404 13966 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:11 +0100]
"GET /scripts/..%255c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0" 404 14008 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:15 +0100]
"GET /_vti_bin/..%255c../..%255c../.
.%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 14059 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:20 +0100]
"GET /_mem_bin/..%255c../..%255c../.
.%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 14059 "-" "-"
-daniel
http://www.debian-gnu.com