RE: [squid-users] Protection fr New Nimda worm

Hi there.

Enclosed is a guide that was posted our Ukerna/Janet Cache Mailing List, by
Michael Sparks, I N K T O M I - UK Technical Support

I dont know wether this will be of any use!, It is designed for Windwows NT,
I however use linux, but from the e-mail you can get an idea of what is
needed for NT and also you should be able to figure out how to port it for
Unix/Linux!

********************

Hello,

TRANSPARENT deployments need to block this to avoid taking out the
JWCS...

For traffic server, add these lines to filter.config:

url_regex=.*/winnt/system32/cmd.exe.* action=deny
url_regex=.*/MSADC/root.exe..c.dir$ action=deny
url_regex=.*/scripts/root.exe..c.dir$ action=deny

For squid, you will probably want to use something like:

For squid, the best way is probably as Steve suggested - in a file
referenced in squid.conf:

acl banned-url url_regex "/usr/local/packages/squid/etc/worm-blocking"

and in "/usr/local/packages/squid/etc/worm-blocking" have:
.*NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.*
.*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.*
.*/winnt/system32/cmd.exe.*
.*/MSADC/root.exe..c.dir$
.*/scripts/root.exe..c.dir$

And then ban access to that acl using an "http_access" entry.

Specifically the 16 URLs this virus is scanning for are:

/MSADC/root.exe?/c+dir
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
/scripts/root.exe?/c+dir

Regards,

 Michael.
- --------( Michael Sparks, I N K T O M I - UK Technical Support )-------
     Email: msparks@inktomi.com http://websupport.inktomi.com/
              Land: +4420 7430 5807 Mob: +447775 903 268

**************************

Regards

-----------------------------
John Szkudlapski
Web Manager
Birkenhead Sixth Form College
T: 0151 651 3720
F: 0151 653 4419
M: 0780 154 2033
E: johns@bsfc.ac.uk

****************************************************************
Birkenhead Sixth Form College

This message is sent in confidence for the addressee only;
If it has come to you in error please notify compserv@bsfc.ac.uk

The contents of this e-mail are the personal views of the sender,
which may not necessarily reflect those of the college.

This message has been scanned for viruses.
The college cannot accept any responsibility for any viruses
which may have come from external sources.

****************************************************************
Received on Wed Sep 19 2001 - 05:57:20 MDT