Date: Sun, 23 Sep 2001 13:51:44 -0400 From: The Anarcat <anarcat@anarcat.dyndns.org> To: David G Andersen <danderse@cs.utah.edu> Cc: Ian Smith <smithi@nimnet.asn.au>, Chris Byrnes <chris@JEAH.net>, security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923135143.A546@shall.anarcat.dyndns.org> In-Reply-To: <200109231703.f8NH3NK24837@faith.cs.utah.edu> References: <Pine.BSF.3.96.1010924022816.9322B-100000@gaia.nimnet.asn.au> <200109231703.f8NH3NK24837@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Ian Smith once said: > >=20 > > Cute. Will play. However there are other directories too; dumping > > ANY request containing cmd.exe or root.exe would do it best here. >=20 > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Nice idea! Here's what I did: RewriteEngine on RewriteRule .*/cmd.exe.* /nimda.txt RewriteRule .*/root.exe.* /nimda.txt RewriteRule .*/default.ida.* /codered.txt RewriteRule .*/Admin.dll.* /codered.txt RewriteRule .*\\Admin.dll.* /codered.txt nimda.txt and codered.txt are simply empty files. This reduces the bandwitdh used by the attack and removes the entries in error.log. So the syntax is correct. Note the default.ida entry for th code red worm (is that it?). I think admin.dll is the same, but I'm not sure. Anyways, it doesn't make much difference. Here is a sample telnet output: GET /default.ida HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 23 Sep 2001 17:46:27 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a Last-Modified: Sun, 23 Sep 2001 17:21:20 GMT ETag: "1d161-0-3bae1a10" Accept-Ranges: bytes Content-Length: 0 Connection: close Content-Type: text/plain --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuIS4ACgkQttcWHAnWiGe05QCbBGOS4Ze36RR/eGXqS+ASIIih nwEAnAmNfOF5usyn072d8i+UreOEkpwI =Z8qG -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923135143.A546>