[lug] RE: Redirect code-where does it go?

Riggs, Rob RRiggs at doubleclick.net
Thu Sep 27 11:59:50 MDT 2001 

RedirectMatch (.*)cmd.exe(.*) http://127.0.0.1
RedirectMatch (.*)root.exe(.*) http://127.0.0.1
RedirectMatch (.*)default.ida(.*) http://127.0.0.1

However, it does not appear that it has any effect on those worms. I get
just as many connections as I ever did. I think the only thing that will
work consistently is the Perl CGI that someone posted a while back that
reboots the infected box.



-----Original Message-----
From: Michael Deck [mailto:deckm at cleansoft.com]
Sent: Thursday, September 27, 2001 11:15 AM
To: lug at lug.boulder.co.us; lug at lug.boulder.co.us
Subject: Re: [lug] RE: Redirect code-where does it go?


Turns out I was wrong too. The dropoff in hits was temporary and must have 
been due to something else. But maybe the problem is the $ in the regex. 
Many of my hits look like this:

"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 
"-" "-"

so the RedirectMatch that we've been using won't work because cmd.exe isn't 
at the end of the URL. I haven't had time to mess with building a better 
regex, unfortunately.

-Mike

At 08:53 AM 9/27/2001 -0600, Warren Sanders wrote:
>On Thu, 27 Sep 2001, Justin wrote:
>
> > Date: Thu, 27 Sep 2001 08:32:47 -0600 (MDT)
> > From: Justin <glow at jackmoves.com>
> > Reply-To: lug at lug.boulder.co.us
> > To: lug at lug.boulder.co.us
> > Subject: Re: [lug] RE: Redirect code-where does it go?
> >
> > I tried that same redirect line verbatum in my httpd.conf and have not
> > seen my nimda hits drop at all. I sent an email to the list yesterday
> > or the day before to see if that line was actually right but have not
> > gotten a response yet.
> >
> > Justin
>
>The line 'RedirectMatch (.*)\cmd.exe$ http://127.0.0.1' goes into your
>httpd.conf file; that is correct.  You must restart the httpd service 
>afterwords
>too.
>
>I added additional lines:
>RedirectMatch (.*)\root.exe$ http://127.0.0.1
>RedirectMatch (.*)\default.ida$ http://127.0.0.1
>
>I took a count before this was in effect:
>33998 9:17AM Wed. 26
>35214 8:35AM Thur. 27
>So no I have not seen it drop off yet, but I guess next I'd like to find 
>out if
>there are returning hosts.  This morning the LEDs on the cable-modem seemed
a
>bit quieter but not much.
>
>Testing the operation out; I tried to get example: root.exe from my web
server
>and was denied and logged still but it didn't give me a 404 page.
>
>So what does an infected IIS machine get now?  Maybe one could just grep 
>out all
>the hosts with the infection and just add them to the firewall.  Would 
>that help
>the noise?
>
>--
>Warren Sanders
>http://MontanaLinux.Org
>
> >
> > > I have seen mentioned over the past few days a redirect solution to
> > the
> > > nimda/code red worm problem as shown below.
> > >
> > > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> > >
> > > What page/config file does this go in and what is the full syntax?
> > >
> > > I have been using php to read the URI and redirect it back to itself
> > and it
> > > seems to work OK, and I have also been using ipchains with manually
> > entered
> > > IP's to deny packets.
> > >
> > > The problem with my solutions is that they require manual
> > intervention to
> > > configure the denials/redirects. I would like to do this
> > automagically.
> > >
> > > BTW, the redirects HAVE worked fairly well, the DENY's have worked
> > well at
> > > reducing the amount of bandwidth wasted. One of the other things I
> > found is
> > > that variations of Nimda try to cover their tracks as they are
> > infecting a
> > > machine by opening another Explorer window. I help them out by
> > running a
> > > counter that opens 500 :) It seems to slow them down a bit...
> > >
> > > Thanks all,
> > >
> > > --->Rob
> > > ----
> > > Bill Gates uses a Macintosh.
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >
> > >
> >
> > -----
> > glow at jackmoves.com
> > www.jackmoves.com
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
>
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


Michael Deck
Cleanroom Software Engineering, Inc.   


_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list