From owner-freebsd-security Mon Sep 24 4:12: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from cyclone.tornadogroup.com (cyclone.tornadogroup.com [212.172.155.83]) by hub.freebsd.org (Postfix) with ESMTP id 6B3E137B414 for ; Mon, 24 Sep 2001 04:12:05 -0700 (PDT) Received: from claudette.e1.tornadogroup.com (claudette.e1.tornadogroup.com [192.168.0.77]) by cyclone.tornadogroup.com (8.10.0.Beta10/8.10.0.Beta10) with ESMTP id f8OBBsN28696; Mon, 24 Sep 2001 12:11:54 +0100 (BST) Received: from tornadogroup.com (localhost [127.0.0.1]) by claudette.e1.tornadogroup.com (8.11.6/8.11.6) with ESMTP id f8OBBma20154; Mon, 24 Sep 2001 12:11:48 +0100 (BST) (envelope-from matthew.seaman@tornadogroup.com) Message-ID: <3BAF14F4.E9912F0F@tornadogroup.com> Date: Mon, 24 Sep 2001 12:11:48 +0100 From: Matthew Seaman X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en-GB, en MIME-Version: 1.0 To: The Anarcat Cc: David G Andersen , Ian Smith , Chris Byrnes , security@FreeBSD.ORG Subject: Re: New worm protection References: <200109231703.f8NH3NK24837@faith.cs.utah.edu> <20010923135143.A546@shall.anarcat.dyndns.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The Anarcat wrote: > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > Lo and behold, Ian Smith once said: > > > > > > Cute. Will play. However there are other directories too; dumping > > > ANY request containing cmd.exe or root.exe would do it best here. > > > > Use mod_rewrite to redirect all accesses to that script. > > > > RewriteEngine on > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > > > > (I haven't tested this syntax. Test it first. :) > > Nice idea! Here's what I did: > > RewriteEngine on > RewriteRule .*/cmd.exe.* /nimda.txt > RewriteRule .*/root.exe.* /nimda.txt > RewriteRule .*/default.ida.* /codered.txt > RewriteRule .*/Admin.dll.* /codered.txt > RewriteRule .*\\Admin.dll.* /codered.txt > > nimda.txt and codered.txt are simply empty files. This reduces the > bandwitdh used by the attack and removes the entries in error.log. As has been mentionned elsewhere in this thread, this will cause your server to issue a 302 re-direct. Which is probably not the effect intended. However, there's no reason to redirect back to your own server. Those of you feeling particularly evil may want to consider something along the lines of: RewriteEngine on RewriteRule ^/(.*/cmd.exe.*)$ http://%{REMOTE_ADDR}/$1 which is about the closest you can come to "Up yours!" in httpd.conf speak... Standard disclaimers: not tested, consult a lawyer, etc. etc. Matthew -- Matthew Seaman Tel: 01628 498661 Certe, Toto, sentio nos in Kansate non iam adesse. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message