Re: Tracking down the still infected hosts

From: Mike Lewinski (mikeat_private)
Date: Mon Sep 24 2001 - 09:29:12 PDT

Next message: bonkat_private: "New Virus (TROJ_VOTE.A)"

Previous message: Martinez, Simon: "RE: Tracking down the still infected hosts"
In reply to: Darren Windham: "Tracking down the still infected hosts"
Next in thread: Fulton L. Preston Jr.: "RE: Tracking down the still infected hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Anyone else doing anything to help this?

I don't think that this has been posted here yet.... The following appears
to cripple infected hosts and limits the damage they can cause. Others who
have used this report that persistent infected hosts disappear from their
logs shortly after applying this configuration change to their own servers,
and that browsing an infected server after applying this results in "HTTP
403.9 - Access Forbidden: Too many users are connected"

For Apache:
RedirectMatch (.*)\cmd.exe$ http://127.0.0.1


For IIS:

----- Original Message -----
From: "Ron Hornbaker" <ronat_private>
To: <imailat_private>
Sent: Friday, September 21, 2001 1:11 PM
Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
[isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)


> Great tip, Len. Here's the IIS version... just create a file in your web
> root called something like "Custom404.asp", with this content (customize
> the friendly part as much as you wish):

<%
'Custom404.asp page to thwart Nimda DoS attacks on IIS
'by Humankind Systems, Inc. http://hksi.net/
'No support or guarantees of any kind are granted with this
'code. Use at your own risk. Distribute freely.

'Get the entire URL requested
myRequest=Request.ServerVariables("QUERY_STRING")

'A list of filenames Nimda looks for
myBadList="cmd.exe,root.exe,admin.dll,default.ida"

'Detect a GET request from the Nimda virus and take appropriate action
arrBadString=Split(myBadList,",")
for i=0 to UBound(arrBadString)
if inStr(myRequest,arrBadString(i))>0 then
'turn offending server back on itself
Response.redirect "http://127.0.0.1"
end if
next
%>
<html>
<head>
<title>Page Not Found</title>
</head>
<body>
Sorry, but that page was not found on our server.
<p>
Here is a link back to our <a href="/">Home Page</a>.
</body>
</html>




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: bonkat_private: "New Virus (TROJ_VOTE.A)"
Previous message: Martinez, Simon: "RE: Tracking down the still infected hosts"
In reply to: Darren Windham: "Tracking down the still infected hosts"
Next in thread: Fulton L. Preston Jr.: "RE: Tracking down the still infected hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 09:41:09 PDT