BigCletus
10-01-2002, 12:45 AM
taken from
http://www.linuxnewbie.org/forum/showthread.php?s=&threadid=66095
how is this done?
For protection, if you are a firewall administrator, you can protect your servers by performing layer-7 application-layer filtering on HTTP packets by blocking all accesses to any URLs containing cmd.exe and root.exe. That blocks nimda on the HTTP level. Note that nimda worm traverses through writeable shared folders over netbios as well. For Codered, filter out all HTTP packets containing default.ida or default.idq in its payload. Other signatures to filter include readme.exe, readme.eml and admin.dll etc. You can add to the list as your know of new signatures.
http://www.linuxnewbie.org/forum/showthread.php?s=&threadid=66095
how is this done?
For protection, if you are a firewall administrator, you can protect your servers by performing layer-7 application-layer filtering on HTTP packets by blocking all accesses to any URLs containing cmd.exe and root.exe. That blocks nimda on the HTTP level. Note that nimda worm traverses through writeable shared folders over netbios as well. For Codered, filter out all HTTP packets containing default.ida or default.idq in its payload. Other signatures to filter include readme.exe, readme.eml and admin.dll etc. You can add to the list as your know of new signatures.