[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unidentified subject!

ezra daniel a écrit:


Hello,


Hi,
Everyday in my site many IP's point to my httpd server NIMDA attacking it... I would like to block or DROP this packages but they go to port 80 which of course I cant block totally. 

Anyone knows if there is a special rule or chain to block this?

The attacks in my apache access log look like this:
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:44:57 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0 
" 404 13936 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:01 +0100] "GET /c/winnt/system32/cmd.exe?/c+di 
r HTTP/1.0" 404 13966 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:06 +0100] "GET /d/winnt/system32/cmd.exe?/c+di 
r HTTP/1.0" 404 13966 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:11 +0100] "GET /scripts/..%255c../winnt/system 
32/cmd.exe?/c+dir HTTP/1.0" 404 14008 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:15 +0100] "GET /_vti_bin/..%255c../..%255c../. 
.%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 14059 "-" "-"
157.red-80-59-122.pooles.rima-tde.net - - [24/Nov/2002:08:45:20 +0100] "GET /_mem_bin/..%255c../..%255c../. 
.%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 14059 "-" "-"

-daniel
http://www.debian-gnu.com
I'm not sure, but this attack is based on the ip address, so if you put your httpd on an other port and in your rules you forward only packets for the destination www.yourdomaine.com, and other domaine you manage, with the option -d www.yourdomain.com on the right port, should be ok, but I ask confirmation. 
tell me if it's working
thx
Yoann







__________________________________________________
Modem offert : 150,92 euros remboursés sur le Pack eXtense de Wanadoo ! Haut débit à partir de 30 euros/mois : http://www.ifrance.com/_reloc/w
Reply to: