[Esd-l] Nimda/IIS worms defense.

Peter Hanecak hanecak at megaloman.com
Sun Sep 23 23:41:01 PDT 2001


On Fri, 21 Sep 2001, John D. Hardin wrote:

> On Fri, 21 Sep 2001, Bill Larson wrote:
> >     RedirectMatch (.*)\cmd.exe$
> >     RedirectMatch (.*)\default.ida$
> >     RedirectMatch (.*)\root.exe$
> Gawd! I wonder how many times the webserer would reinfect itself
> before it came grinding to a halt...?

well, NIMDA is not a browser so IMO it just ignores request results 
whether it is OK, ERROR or MOVED. Thus such redirect (again IMO) wont 
cause more reinfections (or more trafic) to infected site. Same as CodeRed 
sending ISS exploits to Apache servers not caring about result (i.e. 
actively checking it or whatever).


Peter Hanecak

  Peter Hanecak <hanecak at megaloman.com>
  GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt

More information about the esd-l mailing list