[Esd-l] Nimda/IIS worms defense.
hanecak at megaloman.com
Sun Sep 23 23:41:01 PDT 2001
On Fri, 21 Sep 2001, John D. Hardin wrote:
> On Fri, 21 Sep 2001, Bill Larson wrote:
> > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1/
> > RedirectMatch (.*)\default.ida$ http://127.0.0.1/
> > RedirectMatch (.*)\root.exe$ http://127.0.0.1/
> Gawd! I wonder how many times the webserer would reinfect itself
> before it came grinding to a halt...?
well, NIMDA is not a browser so IMO it just ignores request results
whether it is OK, ERROR or MOVED. Thus such redirect (again IMO) wont
cause more reinfections (or more trafic) to infected site. Same as CodeRed
sending ISS exploits to Apache servers not caring about result (i.e.
actively checking it or whatever).
Peter Hanecak <hanecak at megaloman.com>
GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt
More information about the esd-l