[Esd-l] Nimda/IIS worms defense.
Peter Hanecak
hanecak at megaloman.com
Sun Sep 23 23:41:01 PDT 2001
Hello,
On Fri, 21 Sep 2001, John D. Hardin wrote:
> On Fri, 21 Sep 2001, Bill Larson wrote:
>
> > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1/
> > RedirectMatch (.*)\default.ida$ http://127.0.0.1/
> > RedirectMatch (.*)\root.exe$ http://127.0.0.1/
>
> Gawd! I wonder how many times the webserer would reinfect itself
> before it came grinding to a halt...?
well, NIMDA is not a browser so IMO it just ignores request results
whether it is OK, ERROR or MOVED. Thus such redirect (again IMO) wont
cause more reinfections (or more trafic) to infected site. Same as CodeRed
sending ISS exploits to Apache servers not caring about result (i.e.
actively checking it or whatever).
Sincerely
Peter Hanecak
--
===================================================================
Peter Hanecak <hanecak at megaloman.com>
GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt
===================================================================
More information about the esd-l
mailing list