Topic: Nimda attacks from inside your LAN

[RuwanJ]

Has anyone had the misfortune to have a Nimda infected Wkstn generate a complaint? We had one and luckily found it quickly. I did some searching and came across this site  

http://www.securecomputing.com/index.cfm?sKey=859

they reccommend doing something like this..

#!/usr/bin/bash
# This script will add two sections to the standard
# squid.conf to prevent nimda infected workstations
# from attacking hosts outside your network.
#Tested on 5.1.2 Use at your own risk,
# - Ruwan Jayasinghe

mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf
cd /etc/e-smith/templates-custom/etc/squid/squid.conf

echo "acl nimda1 url_regex README.EML" >> 20ACL40Nimda
echo "acl nimda2 url_regex root.exe" >> 20ACL40Nimda
echo "acl nimda3 url_regex cmd.exe" >> 20ACL40Nimda
echo "acl nimda4 url_regex readme.eml" >> 20ACL40Nimda
echo "acl nimda5 url_regex readme.exe" >> 20ACL40Nimda
echo "acl nimda6 url_regex default.ida" >> 20ACL40Nimda

echo "http_access deny nimda1" >> 40http-access76nimda
echo "http_access deny nimda2" >> 40http-access76nimda
echo "http_access deny nimda3" >> 40http-access76nimda
echo "http_access deny nimda4" >> 40http-access76nimda
echo "http_access deny nimda5" >> 40http-access76nimda
echo "http_access deny nimda6" >> 40http-access76nimda

/sbin/e-smith/expand-template /etc/squid/squid.conf

Since I am not a Squid expert, opinions and suggestions of such
people would be greately appreciated..

-R

[Stan]

You may want to scan your Workstations every other day for about a week. I had a client that got hit and it seemed to go dormate for a day then show up somewhere else. They had a very small network so we unplugged everything over a weekend and clean everything monday morning and it never came back.

I'm not a Script expert in any fashion but you're script looks promissing.