Re: New worm protection

From: The Anarcat (anarcat@anarcat.dyndns.org)
Date: 09/23/01


Date: Sun, 23 Sep 2001 13:51:44 -0400
From: The Anarcat <anarcat@anarcat.dyndns.org>
To: David G Andersen <danderse@cs.utah.edu>


On Sun, 23 Sep 2001, David G Andersen wrote:

> Lo and behold, Ian Smith once said:
> >
> > Cute. Will play. However there are other directories too; dumping
> > ANY request containing cmd.exe or root.exe would do it best here.
>
> Use mod_rewrite to redirect all accesses to that script.
>
> RewriteEngine on
> RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
>
> (I haven't tested this syntax. Test it first. :)

Nice idea! Here's what I did:

RewriteEngine on
RewriteRule .*/cmd.exe.* /nimda.txt
RewriteRule .*/root.exe.* /nimda.txt
RewriteRule .*/default.ida.* /codered.txt
RewriteRule .*/Admin.dll.* /codered.txt
RewriteRule .*\\Admin.dll.* /codered.txt

nimda.txt and codered.txt are simply empty files. This reduces the
bandwitdh used by the attack and removes the entries in error.log.

So the syntax is correct.

Note the default.ida entry for th code red worm (is that it?). I think
admin.dll is the same, but I'm not sure. Anyways, it doesn't make much
difference.

Here is a sample telnet output:

GET /default.ida HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 23 Sep 2001 17:46:27 GMT
Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a
Last-Modified: Sun, 23 Sep 2001 17:21:20 GMT
ETag: "1d161-0-3bae1a10"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/plain



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message