RE: nimda tries to send mail after reboot

From: Andrew Mulholland (Andrew.Mulholland@biznet-solutions.com)
Date: Wed Sep 19 2001 - 10:24:39 PDT

Next message: Ken Pfeil: "RE: Web site infected by Nimda"

Previous message: Brett Glass: "Re: nimda tries to send mail after reboot"
Maybe in reply to: John Q. Public: "nimda tries to send mail after reboot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

People might want to try the following configuration for their cisco
routers.
AFAIK it requires IOS 12.1(5)T or later, but it should block most of it
routerside - tho this is unlikely to stop  your bandwidth getting
hammered - 
unless you can get your upstream to do it...
--->
!
ip cef
!
class-map match-any code_red
match protocol http url "*.ida*"
match protocol http url "*.exe*"
!
!
policy-map tag_code_red
class code_red
set ip dscp 1
!
!
interface <int facing isp>
service-policy input tag_code_red
!
interface <int facing your network>
access-group 105 out
!
access-list 105 deny   ip any any dscp 1
access-list 105 permit ip any any
<----

thanks

Andrew

> -----Original Message-----
> From: Brett Glass [mailto:brettat_private]
> Sent: 19 September 2001 18:14
> To: jforsterat_private
> Cc: incidentsat_private
> Subject: Re: nimda tries to send mail after reboot 
> 
> 
> Messages bearing the worm are starting to trickle in, slowly. It
> may be that the worm is designed to start e-mailing only after the
> infection is a certain number of hours old.
> 
> Sadly, the copies of the worm we're receiving are coming from
> companies whose employees we'd expect to know better than to
> leave machines unprotected -- such as V-One and SCO.
> 
> I agree that it will be a very long week. None of our machines
> is susceptible to the worm, but our backbone feed is getting
> hammered. I wish we had a firewall under our control at our
> upstream provider.
> 
> --Brett Glass
> 
> At 11:08 AM 9/19/2001, jforsterat_private wrote:
> 
> >I got a few copies of this worm (via e-mail) this afternoon.
> >Sadly, someone else in the office did as well (or hit an 
> infected site).
> >It's going to be a long week....
> 
> 
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ken Pfeil: "RE: Web site infected by Nimda"
Previous message: Brett Glass: "Re: nimda tries to send mail after reboot"
Maybe in reply to: John Q. Public: "nimda tries to send mail after reboot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 10:36:58 PDT