| Author |
 Topic  |
|
@tomic
Senior Member
USA
1790 Posts |
 Posted - 10 September 2002 : 16:17:30
|
I am sick and tired of looking through my server logs and finding all these stupid worm probes so I searched the web and found this nifty bit of code to redirect those probes to where they came from.
Create a file in your web root called something like "Custom404.asp", with this content (customize the friendly part as much as you wish):
<%
'Custom404.asp page to thwart Nimda DoS attacks on IIS
'by Humankind Systems, Inc. http://hksi.net/
'No support or guarantees of any kind are granted with this
'code. Use at your own risk. Distribute freely.
'Get the entire URL requested
myRequest=Request.ServerVariables("QUERY_STRING")
'A list of filenames Nimda looks for
myBadList="cmd.exe,root.exe,admin.dll,default.ida"
'Detect a GET request from the Nimda virus and take appropriate action
arrBadString=Split(myBadList,",")
for i=0 to UBound(arrBadString)
if inStr(myRequest,arrBadString(i))>0 then
'turn offending server back on itself
Response.redirect "http://127.0.0.1"
end if
next
%>
<html>
<head>
<title>Page Not Found</title>
</head>
<body>
Sorry, but that page was not found on our server.
<p>
Here is a link back to our <a href="/">Home Page</a>.
</body>
</html>
To demo go to:
http://www.skepticfriends.org/forum2/cmd.exe
@tomic
|
SportsBettingAcumen.com |
Edited by - @tomic on 11 September 2002 04:42:39 |
|
|
Banksy
Starting Member
United Kingdom
1 Posts |
Posted - 10 September 2002 : 16:54:16
|
| why not just have a default website that only has the IP address as a hostheader and stop the site. Means the first time they attempt to connect theyll get a site not here type message and go away. Most the Nimda type thing check IP addresses not website addresses. Also means you endup with cleaner logfiles. |
 |
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 10 September 2002 : 17:09:04
|
I suppose if you have your own server you could do that.
@tomic |
SportsBettingAcumen.com |
|
|
|
sy
Average Member
United Kingdom
638 Posts |
Posted - 10 September 2002 : 17:59:27
|
Am i missing something with this, what is the purpose of providing an error message to an autonomous script?
Would it be easy to send a message to the bad servers admin?
Confused :)
Sy |
The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails
|
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 10 September 2002 : 18:04:37
|
quote:
Would it be easy to send a message to the bad servers admin?
Because I am sick of sending those emails...so many emails. I just decided to redirect the probes back to where they came from. There is no error message unless you have a normal bad request.
@tomic
|
SportsBettingAcumen.com |
|
|
|
sy
Average Member
United Kingdom
638 Posts |
Posted - 10 September 2002 : 18:43:20
|
quote:
Originally posted by @tomic
quote:
Would it be easy to send a message to the bad servers admin?
Because I am sick of sending those emails...so many emails. I just decided to redirect the probes back to where they came from. There is no error message unless you have a normal bad request.
@tomic
Right, I am with you now, perhaps the sending of the mail could be automated, say admin@<domain>.
Looks cool.
Sy
|
The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails
|
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 10 September 2002 : 19:04:09
|
Well, perhaps that would be nice but in the logs I don't have a domain name just the IP address and I am not going to waste resources doing a lookup so I can email someone that can't configure their server right after all this time. When they look at their server logs they should notice something.
@tomic |
SportsBettingAcumen.com |
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 10 September 2002 : 19:06:28
|
What are "worm probes"?
|
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 10 September 2002 : 19:19:33
|
Code Red, Nimda
you get requests for:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...default.ida
or lots of variations trying to get at cmd.exe
@tomic |
SportsBettingAcumen.com |
|
|
|
sy
Average Member
United Kingdom
638 Posts |
Posted - 10 September 2002 : 20:01:27
|
| Just out of interest, how many of this type of probe is still ongoing say in a weekly basis for your server(s) @tomic? |
The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails
|
|
|
|
@tomic
Senior Member
USA
1790 Posts |
|
|
sy
Average Member
United Kingdom
638 Posts |
Posted - 10 September 2002 : 20:28:45
|
Wow, I would be looking for those admins with my clue by 4 :)
|
The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails
|
|
|
|
joatham
Junior Member
United Kingdom
169 Posts |
Posted - 10 September 2002 : 20:47:28
|
I like the probes, they keep my hit count up and make me feel my website is worthwhile  |
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 10 September 2002 : 21:33:10
|
I suppose if you have to suffer from probing this is the preferred method 
@tomic |
SportsBettingAcumen.com |
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 10 September 2002 : 22:12:40
|
quote:
Originally posted by @tomic
Code Red, Nimda
you get requests for:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...default.ida
or lots of variations trying to get at cmd.exe
@tomic
Thanks for the answer, @tomic.
Do these requests pose a security risk?
Etymon
|
|
|
|
cybrman
Starting Member
USA
9 Posts |
Posted - 10 September 2002 : 23:06:59
|
| Thanks @tomic great tip...I'm running my own server and am always looking for ways to keep er running smooth |
Gain some knowledge share some knowledge....what it's all about!  |
|
|
|
Topic |
|
Topic Locked
