Todd Lyons grabbed a keyboard and wrote:
>
> In your /etc/httpd/conf/commonhttpd.conf file, put this:
>
> <IfModule mod_rewrite.c>
> redirect /MSADC http://www.microsoft.com
> redirect /c http://www.microsoft.com
> redirect /d http://www.microsoft.com
> redirect /_mem_bin http://www.microsoft.com
> redirect /msadc http://www.microsoft.com
> RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1
> </IfModule>
Hey Todd,
I made a slight change to the RedirectMatch clause, so that the redirects
now look like this:
<IfModule mod_rewrite.c>
redirect /MSADC http://www.microsoft.com
redirect /c http://www.microsoft.com
redirect /d http://www.microsoft.com
redirect /_mem_bin http://www.microsoft.com
redirect /msadc http://www.microsoft.com
RedirectMatch (.*)\(cmd|root).exe$ http://www.microsoft.com$1
RedirectMatch ^.*\.(dll|ida).* http://www.microsoft.com$1
</IfModule>
Do you see anything on those last two lines that look like it won't work,
will confuse something at my end, etc.? It looks to me like it should
work, but a second set of eyes is always handy when doing something like
this... :-)
Also, is there any reason to not change redirect line 4 to use
/(_mem_bin|_vti_bin) instead of just /_mem_bin like it does now? I.E., are
there any *ligitimate* direct calls to that directory, or is it only going
to be called when an infected system is trying to find another system to
infect? (I presume the line would have to be changed from "redirect" to
"RedirectMatch".)
--Dave
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
