Maybe something like a rewrite rule RewriteEngine On RewriteRule ^.*/cmd.exe.* [FL] RewriteRule ^.*/root.exe.* [FL] This will send "forbidden" to systems trying those URLs and will stop rewrite processing. > -----Original Message----- > From: George Milliken [mailto:gmillikenat_private] > Sent: Tuesday, September 18, 2001 7:03 PM > To: Socat_private > Subject: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update > > > Silva? > > -----Original Message----- > From: Homer Wilson Smith [mailto:homerat_private] > Sent: Tuesday, September 18, 2001 5:06 PM > To: Brian Pomeroy > Cc: Olle Segerdahl; incidentsat_private > Subject: Re: Concept Virus(CV) V.5 - Quick analysis update > > > > If any one has the proper entries in the apache 1.3.20 > config file to block the gets to Admin.dll, root.exe and cmd.exe, > I would appreciate knowing about them. Been playing with > <FilesMatch> and <DirectoryMatch> but they only seem to work > IF the directory path actually exists on the machine. > > We are being swamped here. > > Homer > > ------------------------------------------------------------------------ > Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink > (607) 277-0959 A Green Earth and Peace. Internet Access, Ithaca NY > homerat_private Is that too much to ask? http://www.lightlink.com > > On Tue, 18 Sep 2001, Brian Pomeroy wrote: > > > This morning I received an e-mail with the subject line "elvis presley - > > amazing grace" from asportalat_private and containing an attachment > > named read.exe. I am suspecting this could be related. > > > > Brian Pomeroy > > e-Transformation/e-Medicine Center > > The Children's Hospital of Philadelphia > > Philadelphia, PA USA > > http://www.chop.edu/ > > pomeroyat_private || lunarat_private > > > > > > > > ----- Original Message ----- > > From: "Olle Segerdahl" <olleat_private> > > To: <bugtraqat_private>; <incidentsat_private> > > Sent: Tuesday, September 18, 2001 11:58 AM > > Subject: Concept Virus(CV) V.5 - Quick analysis update > > > > > > > > > > More infectation routes: > > > > > > The worm, upon infecting a new host, goes through all the > > > shared directories and their subdirecories and plants the > > > following files in each dir: > > > > > > sample.nws > > > sample.eml > > > desktop.eml > > > desktop.nws > > > > > > which are eml messages with copies of itself ("readme.exe") > > > autoloaded by a html script tag, > > > > > > riched20.dll > > > > > > which is a trojan dll version of itself probably designed > > > to infect people running notepad/wordpad in that dir. > > > > > > > > > It also infects htm/html/asp files all over the system with > > > a <SCRIPT> tag appendage that links to a readme.eml file in > > > the current directory, thus infecting more webservers and > > > even windows helpsystem and the IE "freindly" error messages. > > > > > > The worm puts a trojan mmc.exe in the winnt directory that > > > is a copy of itself in the above "readme.exe" format..... > > > > > > So in short: This thing spreads vi fileserver shares and > > > also infects all web content files it sees, it's EVIL. > > > > > > /olle > > > > > > > > -------------------------------------------------------------------------- > > -- > > > This list is provided by the SecurityFocus ARIS analyzer service. > > > For more information on this free incident handling, management > > > and tracking system please see: http://aris.securityfocus.com > > > > > > > > > > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 09:21:03 PDT