Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 Nimda DOS Redirect
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

@tomic
Senior Member

USA
1790 Posts

Posted - 10 September 2002 :  16:17:30  Show Profile  Visit @tomic's Homepage  Send @tomic an ICQ Message
I am sick and tired of looking through my server logs and finding all these stupid worm probes so I searched the web and found this nifty bit of code to redirect those probes to where they came from.


Create a file in your web root called something like "Custom404.asp", with this content (customize the friendly part as much as you wish):

<%
'Custom404.asp page to thwart Nimda DoS attacks on IIS
'by Humankind Systems, Inc. http://hksi.net/
'No support or guarantees of any kind are granted with this
'code. Use at your own risk. Distribute freely.

'Get the entire URL requested
 myRequest=Request.ServerVariables("QUERY_STRING")

'A list of filenames Nimda looks for
 myBadList="cmd.exe,root.exe,admin.dll,default.ida"

 'Detect a GET request from the Nimda virus and take appropriate action

arrBadString=Split(myBadList,",")
 for i=0 to UBound(arrBadString)
 if inStr(myRequest,arrBadString(i))>0 then
 'turn offending server back on itself
 Response.redirect "http://127.0.0.1"
 end if
 next
 %>
<html>
<head>
<title>Page Not Found</title>
</head>
<body>
Sorry, but that page was not found on our server.
<p>
Here is a link back to our <a href="/">Home Page</a>.
</body>
</html>


To demo go to:
http://www.skepticfriends.org/forum2/cmd.exe


@tomic

SportsBettingAcumen.com

Edited by - @tomic on 11 September 2002 04:42:39

Banksy
Starting Member

United Kingdom
1 Posts

Posted - 10 September 2002 :  16:54:16  Show Profile  Send Banksy a Yahoo! Message
why not just have a default website that only has the IP address as a hostheader and stop the site. Means the first time they attempt to connect theyll get a site not here type message and go away. Most the Nimda type thing check IP addresses not website addresses. Also means you endup with cleaner logfiles.
Go to Top of Page

@tomic
Senior Member

USA
1790 Posts

Posted - 10 September 2002 :  17:09:04  Show Profile  Visit @tomic's Homepage  Send @tomic an ICQ Message
I suppose if you have your own server you could do that.

@tomic

SportsBettingAcumen.com
Go to Top of Page

sy
Average Member

United Kingdom
638 Posts

Posted - 10 September 2002 :  17:59:27  Show Profile  Visit sy's Homepage  Send sy a Yahoo! Message
Am i missing something with this, what is the purpose of providing an error message to an autonomous script?

Would it be easy to send a message to the bad servers admin?

Confused :)

Sy

The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails

Go to Top of Page

@tomic
Senior Member

USA
1790 Posts

Posted - 10 September 2002 :  18:04:37  Show Profile  Visit @tomic's Homepage  Send @tomic an ICQ Message
quote:
Would it be easy to send a message to the bad servers admin?


Because I am sick of sending those emails...so many emails. I just decided to redirect the probes back to where they came from. There is no error message unless you have a normal bad request.

@tomic

SportsBettingAcumen.com
Go to Top of Page

sy
Average Member

United Kingdom
638 Posts

Posted - 10 September 2002 :  18:43:20  Show Profile  Visit sy's Homepage  Send sy a Yahoo! Message
quote:
Originally posted by @tomic

quote:
Would it be easy to send a message to the bad servers admin?


Because I am sick of sending those emails...so many emails. I just decided to redirect the probes back to where they came from. There is no error message unless you have a normal bad request.

@tomic




Right, I am with you now, perhaps the sending of the mail could be automated, say admin@<domain>.

Looks cool.

Sy


The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails

Go to Top of Page

@tomic
Senior Member

USA
1790 Posts

Posted - 10 September 2002 :  19:04:09  Show Profile  Visit @tomic's Homepage  Send @tomic an ICQ Message
Well, perhaps that would be nice but in the logs I don't have a domain name just the IP address and I am not going to waste resources doing a lookup so I can email someone that can't configure their server right after all this time. When they look at their server logs they should notice something.

@tomic

SportsBettingAcumen.com
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 10 September 2002 :  19:06:28  Show Profile  Visit Etymon's Homepage

What are "worm probes"?

Go to Top of Page

@tomic
Senior Member

USA
1790 Posts

Posted - 10 September 2002 :  19:19:33  Show Profile  Visit @tomic's Homepage  Send @tomic an ICQ Message
Code Red, Nimda
you get requests for:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...default.ida

or lots of variations trying to get at cmd.exe

@tomic

SportsBettingAcumen.com
Go to Top of Page

sy
Average Member

United Kingdom
638 Posts

Posted - 10 September 2002 :  20:01:27  Show Profile  Visit sy's Homepage  Send sy a Yahoo! Message
Just out of interest, how many of this type of probe is still ongoing say in a weekly basis for your server(s) @tomic?

The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails

Go to Top of Page

@tomic
Senior Member

USA
1790 Posts

Posted - 10 September 2002 :  20:07:49  Show Profile  Visit @tomic's Homepage  Send @tomic an ICQ Message
I had 300 yesterday....

@tomic

SportsBettingAcumen.com
Go to Top of Page

sy
Average Member

United Kingdom
638 Posts

Posted - 10 September 2002 :  20:28:45  Show Profile  Visit sy's Homepage  Send sy a Yahoo! Message
Wow, I would be looking for those admins with my clue by 4 :)

The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails

Go to Top of Page

joatham
Junior Member

United Kingdom
169 Posts

Posted - 10 September 2002 :  20:47:28  Show Profile  Visit joatham's Homepage
I like the probes, they keep my hit count up and make me feel my website is worthwhile
Go to Top of Page

@tomic
Senior Member

USA
1790 Posts

Posted - 10 September 2002 :  21:33:10  Show Profile  Visit @tomic's Homepage  Send @tomic an ICQ Message
I suppose if you have to suffer from probing this is the preferred method

@tomic

SportsBettingAcumen.com
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 10 September 2002 :  22:12:40  Show Profile  Visit Etymon's Homepage
quote:
Originally posted by @tomic

Code Red, Nimda
you get requests for:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...default.ida

or lots of variations trying to get at cmd.exe

@tomic



Thanks for the answer, @tomic.

Do these requests pose a security risk?

Etymon
Go to Top of Page

cybrman
Starting Member

USA
9 Posts

Posted - 10 September 2002 :  23:06:59  Show Profile
Thanks @tomic great tip...I'm running my own server and am always looking for ways to keep er running smooth

Gain some knowledge share some knowledge....what it's all about!
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.21 seconds. Powered By: Snitz Forums 2000 Version 3.4.07