Security Incidents mailing list archives
Re: Tracking down the still infected hosts
From: "Mike Lewinski" <mike () rockynet com>
Date: Mon, 24 Sep 2001 10:29:12 -0600
Anyone else doing anything to help this?
I don't think that this has been posted here yet.... The following appears to cripple infected hosts and limits the damage they can cause. Others who have used this report that persistent infected hosts disappear from their logs shortly after applying this configuration change to their own servers, and that browsing an infected server after applying this results in "HTTP 403.9 - Access Forbidden: Too many users are connected" For Apache: RedirectMatch (.*)\cmd.exe$ http://127.0.0.1 For IIS: ----- Original Message ----- From: "Ron Hornbaker" <ron () hksi net> To: <imail () hksi net> Sent: Friday, September 21, 2001 1:11 PM Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
Great tip, Len. Here's the IIS version... just create a file in your web root called something like "Custom404.asp", with this content (customize the friendly part as much as you wish):
<% 'Custom404.asp page to thwart Nimda DoS attacks on IIS 'by Humankind Systems, Inc. http://hksi.net/ 'No support or guarantees of any kind are granted with this 'code. Use at your own risk. Distribute freely. 'Get the entire URL requested myRequest=Request.ServerVariables("QUERY_STRING") 'A list of filenames Nimda looks for myBadList="cmd.exe,root.exe,admin.dll,default.ida" 'Detect a GET request from the Nimda virus and take appropriate action arrBadString=Split(myBadList,",") for i=0 to UBound(arrBadString) if inStr(myRequest,arrBadString(i))>0 then 'turn offending server back on itself Response.redirect "http://127.0.0.1" end if next %> <html> <head> <title>Page Not Found</title> </head> <body> Sorry, but that page was not found on our server. <p> Here is a link back to our <a href="/">Home Page</a>. </body> </html> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Tracking down the still infected hosts Darren Windham (Sep 24)
- Re: Tracking down the still infected hosts Mike Lewinski (Sep 24)
- <Possible follow-ups>
- RE: Tracking down the still infected hosts Martinez, Simon (Sep 24)
- RE: Tracking down the still infected hosts Fulton L. Preston Jr. (Sep 24)
- RE: Tracking down the still infected hosts Ryan McDonnell (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Tina Bird (Sep 25)
- Re: Tracking down the still infected hosts Skip Carter (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Dale Lancaster (Sep 25)
- Re: Tracking down the still infected hosts Duncan Hill (Sep 25)
- Re: Tracking down the still infected hosts Josh Burroughs (Sep 25)