Fw: [squid-users] Re: acl virus1 url_regex http://www/c/winnt/system32/cmd.exe

From: Edward <edward@dont-contact.us>
Date: Wed, 26 Sep 2001 14:06:25 -0400

----- Original Message -----
From: "Edward" <edward@cariaccess.com>
To: "khiz code" <khizcode@yahoo.com>
Sent: Wednesday, September 26, 2001 2:06 PM
Subject: Re: [squid-users] Re: acl virus1 url_regex
http://www/c/winnt/system32/cmd.exe

> I am not seeing those requests.
>
> I am seeing paths to cmd.exe and other links.
>
> Take a look here I gather these from my access.log and microsoft urltool
> patch.
>
acl virus1 url_regex http://www/c/winnt/system32/cmd.exe
acl virus2 url_regex
^http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
../winnt/system32/cmd.exe$
acl virus3 url_regex ^http://www/c/winnt/system32/cmd.exe$
acl virus4 url_regex ^http://www/d/winnt/system32/cmd.exe$
acl virus5 url_regex ^http://www/e/winnt/system32/cmd.exe$
acl virus6 url_regex
^http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe$
acl virus7 url_regex http://www/scripts/root.exe
acl virus8 url_regex ^http://www/scripts/..%c1%9c../winnt/system32/cmd.exe$
acl virus9 url_regex ^http://www/scripts/..%255c../winnt/system32/cmd.exe$
acl virus10 url_regex ^http://www/scripts/..%252f../winnt/system32/cmd.exe$
acl virus11 url_regex ^http://www/scripts/..%%35%63../winnt/system32/cmd.exe
acl virus12 url_regex ^http://www/MSADC/root.exe$
acl virus13 url_regex ^http://www/c/winnt/system32/cmd.exe$

> Thank you very much.
>
> Best regards,
>
> Edward Millington. BSc, Network+
> (Network Administrator & Senior Technical Support Technician)
> Cariaccess Communications Ltd.
> Palm Plaza
> Wildey
> St. Michael
> Barbados
> 1-246-430-7435
> Fax : 1-246-431-0170
> edward@cariaccess.com
> www.cariaccess.com
>
> ----- Original Message -----
> From: "khiz code" <khizcode@yahoo.com>
> To: "Edward" <edward@cariaccess.com>; <squid-users@squid-cache.org>
> Sent: Wednesday, September 26, 2001 9:11 AM
> Subject: Re: [squid-users] Re: acl virus1 url_regex
> http://www/c/winnt/system32/cmd.exe
>
>
> > hi
> > but if u r aim is to prevent the worm why dont u use the very useful
> > acl posted very recently on the list
> > here it is
> > acl codered url_regex \/default\.ida$
> > acl banned-url url_regex "/usr/local/squid4/etc/worm-blocking"
> > #deny_info ERR_RESET codered
> > #deny_info ERR_RESET banned-url
> > http_access deny codered
> > http_access deny banned-url
> >
> >
> >
> >
> > the file "/usr/local/squid4/etc/worm-blocking"
> > itself contains
> > .*NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.*
> > .*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.*
> > .*/winnt/system32/cmd.exe.*
> > .*/MSADC/root.exe..c.dir$
> > .*/scripts/root.exe..c.dir$
> >
> > rgds
> > khizcode
> >
> > --- Henrik Nordstrom <hno@squid-cache.org> wrote:
> > > That you can do, provided the request contains exacly this string
> > > (see
> > > access.log).
> > >
> > > Fir this kind of matches I would recommend using the urlpath_regex
> > > type
> > > to only match against the path excluding requested host name.
> > >
> > > In these times I would recommend using
> > >
> > > acl virus2 urlpath_regex system32
> > > http_access deny virus2
> > >
> > > Yes, this may match somewhat more than intended, but not very likely.
> > > It
> > > will however match a rather wide range of IIS exploits.
> > >
> > > Regards
> > > Henrik Nordström
> > > Squid Hacker
> > >
> > >
> > > Edward wrote:
> > > >
> > > > Hi Henrik!
> > > >
> > > > Do you know if this command would work in squid 2.5?
> > > >
> > > > acl virus1 url_regex http://www/c/winnt/system32/cmd.exe
> > > > http_access deny virus1
> > > >
> > > > I have use this line including
> > > ^http://www/c/winnt/system32/cmd.exe$ to see
> > > > if I was doing something wrong.
> > > >
> > > > It still would not deny me access. Am I missing something here
> > > >
> > > > Thank you very much.
> > > >
> > > > Best regards,
> > > >
> > > > Edward Millington. BSc, Network+
> > > > (Network Administrator & Senior Technical Support Technician)
> > > > Cariaccess Communications Ltd.
> > > > Palm Plaza
> > > > Wildey
> > > > St. Michael
> > > > Barbados
> > > > 1-246-430-7435
> > > > Fax : 1-246-431-0170
> > > > edward@cariaccess.com
> > > > www.cariaccess.com
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get email alerts & NEW webcam video instant messaging with Yahoo!
> Messenger. http://im.yahoo.com
> >
>
Received on Wed Sep 26 2001 - 12:03:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:30 MST