From owner-freebsd-security Sun Sep 23 10:52: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts9-srv.bellnexxia.net (tomts9.bellnexxia.net [209.226.175.53]) by hub.freebsd.org (Postfix) with ESMTP id 084AF37B405 for ; Sun, 23 Sep 2001 10:51:57 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.92.169.79]) by tomts9-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010923175156.PCQT1679.tomts9-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Sun, 23 Sep 2001 13:51:56 -0400 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 38C271A66; Sun, 23 Sep 2001 13:51:49 -0400 (EDT) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id E5C0A20B4A; Sun, 23 Sep 2001 13:51:44 -0400 (EDT) Date: Sun, 23 Sep 2001 13:51:44 -0400 From: The Anarcat To: David G Andersen Cc: Ian Smith , Chris Byrnes , security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923135143.A546@shall.anarcat.dyndns.org> References: <200109231703.f8NH3NK24837@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline In-Reply-To: <200109231703.f8NH3NK24837@faith.cs.utah.edu> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Ian Smith once said: > >=20 > > Cute. Will play. However there are other directories too; dumping > > ANY request containing cmd.exe or root.exe would do it best here. >=20 > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Nice idea! Here's what I did: RewriteEngine on RewriteRule .*/cmd.exe.* /nimda.txt RewriteRule .*/root.exe.* /nimda.txt RewriteRule .*/default.ida.* /codered.txt RewriteRule .*/Admin.dll.* /codered.txt RewriteRule .*\\Admin.dll.* /codered.txt nimda.txt and codered.txt are simply empty files. This reduces the bandwitdh used by the attack and removes the entries in error.log. So the syntax is correct. Note the default.ida entry for th code red worm (is that it?). I think admin.dll is the same, but I'm not sure. Anyways, it doesn't make much difference. Here is a sample telnet output: GET /default.ida HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 23 Sep 2001 17:46:27 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a Last-Modified: Sun, 23 Sep 2001 17:21:20 GMT ETag: "1d161-0-3bae1a10" Accept-Ranges: bytes Content-Length: 0 Connection: close Content-Type: text/plain --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuIS4ACgkQttcWHAnWiGe05QCbBGOS4Ze36RR/eGXqS+ASIIih nwEAnAmNfOF5usyn072d8i+UreOEkpwI =Z8qG -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message