If you have implemented NBAR in your cisco routers to stop CodeRed, you can add a line that stops your users getting infected with Nimda when browsing an infected server using IE. (You can learn about setting up NBAR in http://iponeverything.net/CodeRed.html ) Inside the class-map match-any {your_map_name} just add the line match protocol http url "*.eml*" I don't know if there is any legit use to receiving .EML files in http, if there is, use "*readme.eml*" instead. I'm not 100% sure if this works, my anti-virus (F-Secure) fires up anyway, but I may be because it is scanning the page and finding the javascrip fragment. I don't really know. However, with that line in place I can't use wget (from a linux machine) to get the readme.eml file from an infected server it justs times out, without the line, I got the file all right. (by the way, getting readme.eml with wget gives you the exact time when the server was infected) [with] -------------------------------------------------------------------------------- ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml ||| DEBUG output created by Wget 1.6 on linux-gnu. ||| ||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath readme.eml -> dir -> file readme.eml -> ndir ||| newpath: /readme.eml ||| --04:37:24-- http://AA.BB.CC.DD/readme.eml ||| => `readme.eml' ||| Connecting to AA.BB.CC.DD:80... Created fd 3. ||| connected! ||| ---request begin--- ||| GET /readme.eml HTTP/1.0 ||| User-Agent: Wget/1.6 ||| Host: AA.BB.CC.DD ||| Accept: */* ||| ||| ---request end--- ||| HTTP request sent, awaiting response... ||| Read error (Connection timed out) in headers. ||| Closing fd 3 ||| Giving up. -------------------------------------------------------------------------------- [without] -------------------------------------------------------------------------------- ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml ||| DEBUG output created by Wget 1.6 on linux-gnu. ||| ||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath readme.eml -> dir -> file readme.eml -> ndir ||| newpath: /readme.eml ||| --04:42:42-- http://AA.BB.CC.DD/readme.eml ||| => `readme.eml' ||| Connecting to AA.BB.CC.DD:80... Created fd 3. ||| connected! ||| ---request begin--- ||| GET /readme.eml HTTP/1.0 ||| User-Agent: Wget/1.6 ||| Host: AA.BB.CC.DD ||| Accept: */* ||| ||| ---request end--- ||| HTTP request sent, awaiting response... HTTP/1.1 200 OK ||| Server: Microsoft-IIS/5.0 ||| Date: Sat, 22 Sep 2001 03:35:56 GMT ||| Content-Type: message/rfc822 ||| Accept-Ranges: bytes ||| Last-Modified: Tue, 18 Sep 2001 13:52:51 GMT ||| ETag: "da9d10354940c11:89a" ||| Content-Length: 79225 ||| ||| ||| Length: 79,225 [message/rfc822] ||| ||| 0K -> .......... .......... .......... .......... .......... [ 64%] ||| 50K -> .......... .......... ....... [100%] ||| ||| Closing fd 3 ||| 04:42:48 (14.22 KB/s) - `readme.eml' saved [79225/79225] -------------------------------------------------------------------------------- Hope this helps... Good luck. ---------- António Vasconcelos - ICQ #109994473 - Senior Network Management Support CONVEX Portugal, Lda - T: +351-21-422-9200 F: +351-21-421-3787 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 17:45:41 PDT