Date: Mon, 24 Sep 2001 12:11:48 +0100 From: Matthew Seaman <matthew.seaman@tornadogroup.com> To: The Anarcat <anarcat@anarcat.dyndns.org> Cc: David G Andersen <danderse@cs.utah.edu>, Ian Smith <smithi@nimnet.asn.au>, Chris Byrnes <chris@JEAH.net>, security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <3BAF14F4.E9912F0F@tornadogroup.com> References: <Pine.BSF.3.96.1010924022816.9322B-100000@gaia.nimnet.asn.au> <200109231703.f8NH3NK24837@faith.cs.utah.edu> <20010923135143.A546@shall.anarcat.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The Anarcat wrote: > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > Lo and behold, Ian Smith once said: > > > > > > Cute. Will play. However there are other directories too; dumping > > > ANY request containing cmd.exe or root.exe would do it best here. > > > > Use mod_rewrite to redirect all accesses to that script. > > > > RewriteEngine on > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > > > > (I haven't tested this syntax. Test it first. :) > > Nice idea! Here's what I did: > > RewriteEngine on > RewriteRule .*/cmd.exe.* /nimda.txt > RewriteRule .*/root.exe.* /nimda.txt > RewriteRule .*/default.ida.* /codered.txt > RewriteRule .*/Admin.dll.* /codered.txt > RewriteRule .*\\Admin.dll.* /codered.txt > > nimda.txt and codered.txt are simply empty files. This reduces the > bandwitdh used by the attack and removes the entries in error.log. As has been mentionned elsewhere in this thread, this will cause your server to issue a 302 re-direct. Which is probably not the effect intended. However, there's no reason to redirect back to your own server. Those of you feeling particularly evil may want to consider something along the lines of: RewriteEngine on RewriteRule ^/(.*/cmd.exe.*)$ http://%{REMOTE_ADDR}/$1 which is about the closest you can come to "Up yours!" in httpd.conf speak... Standard disclaimers: not tested, consult a lawyer, etc. etc. Matthew -- Matthew Seaman Tel: 01628 498661 Certe, Toto, sentio nos in Kansate non iam adesse. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BAF14F4.E9912F0F>