[NTLUG:Discuss] RE: [NTLUG:Discuss]
Jack Snodgrass
idiotboy at cybermail.net
Thu Sep 20 07:08:27 CDT 2001
why not block outgoing request to these sites? i.e. if the site is
infected, you don't want your users going there and download the
readme.exe file. I'm not even sure i want their mail server's talking
to me either.
jack
----- Original Message -----
From: "Paul Ingendorf" <pauldy at wantek.net>
To: <discuss at ntlug.org>
Sent: Wednesday, September 19, 2001 5:19 AM
Subject: [NTLUG:Discuss] RE: [NTLUG:Discuss]
> http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
>
> This is the one you want to look at. Also for those of you running Linux
webservers just run something like the following.
>
> #!/bin/bash
> youraccesslog=access_log
> for ip in `grep /scripts/\.\.\%c0\%af\.\./winnt/system32/cmd.exe\?/c\+dir
$youraccesslog | awk {print'$1'} | sort | uniq`
> do
> iptables -D INPUT -p TCP -s $ip/32 --dport 80 -j REJECT
> iptables -A INPUT -p TCP -s $ip/32 --dport 80 -j REJECT
> done
>
More information about the Discuss
mailing list