[lug] RE: Redirect code-where does it go? (fwd)

J. Wayde Allen wallen at its.bldrdoc.gov
Fri Sep 28 13:46:14 MDT 2001 

---------- Forwarded message ----------
Date: Thu, 27 Sep 2001 09:55:08 -0600 (MDT)
From: D.J. Atkinson <dj at pcisys.net>
To: J. Wayde Allen <wallen at its.bldrdoc.gov>
Subject: Re: [lug] RE: Redirect code-where does it go? (fwd)

As far as suggestions:

Has justin actually checked to make sure he's getting the redirect? (I.e.
requested /cmd.exe from his machine?)  I usually do this by hand using
telnet rather than with a browser.  (i.e., "telnet host 80" to connect
then "GET /cmd.exe" once connection has been achieved.)

If he's not getting the redirect, he might try flopping the backslash to a
forward slash in the RedirectMatch command.

They might also add a redirect for root.exe and admin.dll

I've also added one for /default.ida

I hope this helps

DJ

On Thu, 27 Sep 2001, J. Wayde Allen wrote:

>---------- Forwarded message ----------
>Date: Thu, 27 Sep 2001 08:32:47 -0600 (MDT)
>From: Justin <glow at jackmoves.com>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] RE: Redirect code-where does it go?
>
>I tried that same redirect line verbatum in my httpd.conf and have not 
>seen my nimda hits drop at all. I sent an email to the list yesterday 
>or the day before to see if that line was actually right but have not 
>gotten a response yet. 
>
>Justin
>
>> I have seen mentioned over the past few days a redirect solution to 
>the
>> nimda/code red worm problem as shown below.
>> 
>> RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
>> 
>> What page/config file does this go in and what is the full syntax?
>> 
>> I have been using php to read the URI and redirect it back to itself 
>and it
>> seems to work OK, and I have also been using ipchains with manually 
>entered
>> IP's to deny packets.
>> 
>> The problem with my solutions is that they require manual 
>intervention to
>> configure the denials/redirects. I would like to do this 
>automagically.
>> 
>> BTW, the redirects HAVE worked fairly well, the DENY's have worked 
>well at
>> reducing the amount of bandwidth wasted. One of the other things I 
>found is
>> that variations of Nimda try to cover their tracks as they are 
>infecting a
>> machine by opening another Explorer window. I help them out by 
>running a
>> counter that opens 500 :) It seems to slow them down a bit...
>> 
>> Thanks all,
>> 
>> --->Rob
>> ----
>> Bill Gates uses a Macintosh.
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> 
>> 
>
>-----
>glow at jackmoves.com
>www.jackmoves.com
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

--
       o o o o o o o . . .                                  _______
      o         _____ _____        ____________________ ____] D D [_||___
   ._][__n__n___|DD[ [     \_____  |  D.J. Atkinson   | | dj at pcisys.net |
  >(____________|__|_[___________]_|__________________|_|_______________|
  _/oo OOOO OOOO oo` 'ooooo ooooo` 'o!o            o!o` 'o!o         o!o`
-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-
Visit my web page at http://www.pcisys.net/~dj

More information about the LUG mailing list