Blocking_the_ Nimda_ Worm

CodeShare

Have some code. Share some code.

Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

DevCentral

CodeShare

Blocking_the_ Nimda_ Worm

Options

Subscribe to RSS Feed

Mark as New

Mark as Read

Bookmark

Subscribe

Printer Friendly Page

Blocking_the_ Nimda_ Worm

Cspillane_18296
Nimbostratus

Options

Article History

Subscribe to RSS Feed

Mark as New

Mark as Read

Bookmark

Subscribe

Printer Friendly Page

on ‎16-Mar-2015 15:43

Problem this snippet solves:
This simple iRule should block the Nimda worm, if you should ever have need to do so.
Code :
when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { ($uri contains "cmd.exe") or ($uri contains "root.exe") or ($uri contains "admin.dll") } { drop } else { pool serverpool } } ## Or using a switch statement which sends a TCP reset for offending requests and sends the rest to the VIP's default pool: when HTTP_REQUEST { switch [string tolower [HTTP::uri]] { "cmd.exe" - "root.exe" - "admin.dll" { reject } } }

Labels:

Application Delivery

DevOps

Security

iRules

0 Kudos

Version history

Last update:

‎16-Mar-2015 15:43

Updated by:

Cspillane_18296

Contributors

Cspillane_18296

About Devcentral

Devcentral News

Technical Forum

Technical Articles

CrowdSRC

Community Guidelines

DevCentral EULA

Get a Developer Lab License

Become a DevCentral MVP

F5 Resources

Product Documentation

White Papers

Glossary

Customer Stories

Webinars

Free Online Courses

F5 Certification

LearnF5 Training

F5 Support

Manage Subscriptions

Support Portal

Professional Services

Create Support Case

Software Downloads

F5 Partners

Find a Reseller Partner

Technology Alliances

Become an F5 Partner

Login to Partner Central

Connect With DevCentral

YouTube

LinkedIn

Twitter

Facebook

©2023 F5, Inc. All rights reserved.

Trademarks

Policies

Privacy

California Privacy

Do Not Sell My Personal Information

Copyright © 2023 Khoros, LLC