Re: nimda probes
On Fri, Sep 21, 2001 at 07:24:45AM +1000, Sam Varghese wrote:
| On Thu, Sep 20, 2001 at 09:20:23AM -0700, Greg Wiley wrote:
| > On Wednesday, September 19, 2001 11:55 PM, sam@gnubies.com
| >
| > > Nicholas Petreley had this suggestion for redirecting
| > > nimda probes using Apache:
| >
| > > RedirectMatch ^.*\.(exe|dll).* http://support.microsoft.com
| >
| > Heh. I wonder if nimda actually responds to redirects.
| >
| > -=greg
|
| Looking at my logs, it seems to work:
|
| GET /cmd.dll HTTP/1.0" 302
|
| GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302
|
| Same Apache redirect response as for /default.ida
| and that, I know, works.
That means that apache returned redirect.
How do you know if the worm actually followed it or not? You would
have to make it redirect to a different part of your site (or another
site you have access to the logs of) and see if it is accessed.
-D
Reply to: