I think this is even better:
<IfModule mod_rewrite.c>
RewriteEngine on
# Uncomment these if you want an intrusion log.
# RewriteLog /var/log/worms-kiddies.log
# RewriteLogLevel 1
RewriteRule ^/(.*)cmd.exe(.*)$ http://sameserver/police.php [L]
RewriteRule ^/(.*)root.exe(.*)$ http://sameserver/police.php
RewriteRule ^/(.*)\/_vti_bin\/(.*)$ http://sameserver/police.php
RewriteRule ^/(.*)\/scripts\/\.\.(.*)$ http://sameserver/police.php
RewriteRule ^/(.*)\/_mem_bin\/(.*)$ http://sameserver/police.php
RewriteRule ^/(.*)\/msadc\/(.*)$ http://sameserver/police.php
RewriteRule ^/(.*)\/MSADC\/(.*)$ http://sameserver/police.php
RewriteRule ^/(.*)\/c\/winnt\/(.*)$ http://sameserver/police.php
RewriteRule ^/(.*)\/d\/winnt\/(.*)$ http://sameserver/police.php
RewriteRule ^/(.*)\/x90\/(.*)$ http://sameserver/police.php
</IfModule>
sameserver is your server (You could remove that part)
police.php is some scary page :-)
I think this is better since it wouldn't rely on the HTTP client
williness to go to the redirect page,
as it happens with a mod_alias sollution.
Of course this could all be useless if the hacko is a worm with no
fear! Anyway, it's just a funny
alternative to a decent IDS.
See you,
Yves Junqueira
- Lynx Informatica
www.lynx.com.br
Just be aware that it's actual mod_alias rather than mod_rewrite lines
in that extract, so the first line should be
<IfModule mod_alias.c>
Of course, it will only break due to the error if you don't have
mod_rewrite loaded.
On Jun 7, 2004, at 11:58 AM, Robert Cates wrote:
Thanks much!
The rewrite solution looks good to me as well, and I'll add to my
config
shortly!
Thanks again,
Robert