Re: New worm protection

From: The Anarcat (
Date: 09/23/01

Date: Sun, 23 Sep 2001 13:51:44 -0400
From: The Anarcat <>
To: David G Andersen <>

On Sun, 23 Sep 2001, David G Andersen wrote:

> Lo and behold, Ian Smith once said:
> >
> > Cute. Will play. However there are other directories too; dumping
> > ANY request containing cmd.exe or root.exe would do it best here.
> Use mod_rewrite to redirect all accesses to that script.
> RewriteEngine on
> RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
> (I haven't tested this syntax. Test it first. :)

Nice idea! Here's what I did:

RewriteEngine on
RewriteRule .*/cmd.exe.* /nimda.txt
RewriteRule .*/root.exe.* /nimda.txt
RewriteRule .*/default.ida.* /codered.txt
RewriteRule .*/Admin.dll.* /codered.txt
RewriteRule .*\\Admin.dll.* /codered.txt

nimda.txt and codered.txt are simply empty files. This reduces the
bandwitdh used by the attack and removes the entries in error.log.

So the syntax is correct.

Note the default.ida entry for th code red worm (is that it?). I think
admin.dll is the same, but I'm not sure. Anyways, it doesn't make much

Here is a sample telnet output:

GET /default.ida HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 23 Sep 2001 17:46:27 GMT
Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a
Last-Modified: Sun, 23 Sep 2001 17:21:20 GMT
ETag: "1d161-0-3bae1a10"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/plain

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: mod_rewrite problems
    ... I like that syntax; it's much more concise but I eliminated it to see ... RewriteRule ^ /index.php ... part here would be the location bar, ...
  • Re: php and mod_rewrite?
    ... to redirect to /index.php?$2, ... figure out how to redirect the ?show=files request AND at the end add ... RewriteRule does not match against the query string in mod_rewrite. ...
  • Re: [PHP] localization folder for web site
    ... your script need only extract the language param from $_GET. ... If a request was made directly like /your_script.php?l=fr then the RewriteRule would not be used, because the condition was not met. ... So, in this case, there would be absolutely no difference from the perspective of the script. ... The only difference, as far as the *request* goes, is that mod_rewrite has nothing to do with it. ...
  • Re: URL Rewriting
    ... it loads the index.php?content=alumni ... think what is happening is that your request for "alumni/" is being ... DirectoryIndex rule somewhere else. ... RewriteRule ^alumni?$ index.php?content=alumni ...
  • php and mod_rewrite?
    ... if i change the rule to: RewriteRule ^test//$ ... it stops working. ... to redirect to /index.php?$2, ... figure out how to redirect the ?show=files request AND at the end add ...