Re: nimda probes

To: debian-user@lists.debian.org
Subject: Re: nimda probes
From: dman <dsh8290@rit.edu>
Date: Thu, 20 Sep 2001 18:07:42 -0400
Message-id: <[🔎] 20010920180741.A29828@harmony.cs.rit.edu>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20010921072445.A9455@sammo.gnubies.com>; from sam@gnubies.com on Fri, Sep 21, 2001 at 07:24:45AM +1000
References: <[🔎] 20010920165523.A7663@sammo.gnubies.com> <[🔎] 007b01c141f0$2a38b340$0464b10a@orthogony.net> <[🔎] 20010921072445.A9455@sammo.gnubies.com>

On Fri, Sep 21, 2001 at 07:24:45AM +1000, Sam Varghese wrote:
| On Thu, Sep 20, 2001 at 09:20:23AM -0700, Greg Wiley wrote:
| > On Wednesday, September 19, 2001 11:55 PM, sam@gnubies.com
| > 
| > > Nicholas Petreley had this suggestion for redirecting
| > > nimda probes using Apache:
| >  
| > > RedirectMatch ^.*\.(exe|dll).* http://support.microsoft.com
| > 
| > Heh.  I wonder if nimda actually responds to redirects.
| > 
| >   -=greg
| 
| Looking at my logs, it seems to work:
| 
| GET /cmd.dll HTTP/1.0" 302
| 
| GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302
| 
| Same Apache redirect response as for /default.ida
| and that, I know, works.

That means that apache returned redirect.

How do you know if the worm actually followed it or not?  You would
have to make it redirect to a different part of your site (or another
site you have access to the logs of) and see if it is accessed.

-D

Reply to:

References:
- nimda probes
  - From: Sam Varghese <sam@gnubies.com>
- Re: nimda probes
  - From: "Greg Wiley" <greg@orthogony.com>
- Re: nimda probes
  - From: Sam Varghese <sam@gnubies.com>

Prev by Date: Re: nimda probes
Next by Date: Re: .config in kernel source?
Previous by thread: Re: nimda probes
Next by thread: Re: nimda probes
Index(es):
- Date
- Thread