[lug] RE: Redirect code-where does it go?

Warren Sanders sanders at MontanaLinux.Org
Thu Sep 27 08:53:03 MDT 2001


On Thu, 27 Sep 2001, Justin wrote:

> Date: Thu, 27 Sep 2001 08:32:47 -0600 (MDT)
> From: Justin <glow at jackmoves.com>
> Reply-To: lug at lug.boulder.co.us
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] RE: Redirect code-where does it go?
>
> I tried that same redirect line verbatum in my httpd.conf and have not
> seen my nimda hits drop at all. I sent an email to the list yesterday
> or the day before to see if that line was actually right but have not
> gotten a response yet.
>
> Justin

The line 'RedirectMatch (.*)\cmd.exe$ http://127.0.0.1' goes into your
httpd.conf file; that is correct.  You must restart the httpd service afterwords
too.

I added additional lines:
RedirectMatch (.*)\root.exe$ http://127.0.0.1
RedirectMatch (.*)\default.ida$ http://127.0.0.1

I took a count before this was in effect:
33998 9:17AM Wed. 26
35214 8:35AM Thur. 27
So no I have not seen it drop off yet, but I guess next I'd like to find out if
there are returning hosts.  This morning the LEDs on the cable-modem seemed a
bit quieter but not much.

Testing the operation out; I tried to get example: root.exe from my web server
and was denied and logged still but it didn't give me a 404 page.

So what does an infected IIS machine get now?  Maybe one could just grep out all
the hosts with the infection and just add them to the firewall.  Would that help
the noise?

-- 
Warren Sanders
http://MontanaLinux.Org

>
> > I have seen mentioned over the past few days a redirect solution to
> the
> > nimda/code red worm problem as shown below.
> >
> > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> >
> > What page/config file does this go in and what is the full syntax?
> >
> > I have been using php to read the URI and redirect it back to itself
> and it
> > seems to work OK, and I have also been using ipchains with manually
> entered
> > IP's to deny packets.
> >
> > The problem with my solutions is that they require manual
> intervention to
> > configure the denials/redirects. I would like to do this
> automagically.
> >
> > BTW, the redirects HAVE worked fairly well, the DENY's have worked
> well at
> > reducing the amount of bandwidth wasted. One of the other things I
> found is
> > that variations of Nimda try to cover their tracks as they are
> infecting a
> > machine by opening another Explorer window. I help them out by
> running a
> > counter that opens 500 :) It seems to slow them down a bit...
> >
> > Thanks all,
> >
> > --->Rob
> > ----
> > Bill Gates uses a Macintosh.
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> >
>
> -----
> glow at jackmoves.com
> www.jackmoves.com
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>





More information about the LUG mailing list