RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)

Ron Hornbaker Fri, 21 Sep 2001 14:12:58 -0700
If it's a legitimate file, it won't return a 404 error, so the Judo page
won't be triggered. So, technically, you could make your badlist look
something like:

  ".exe,.dll,.ida,.htr,.printer"

and whatever else you wanted, so that any malicious-looking 404s would
turned back, Grasshopper-san-style.


Ron Hornbaker
President/CTO
  .  .  .  .  .  .  .  .  .  .  .  .  http://humankindsystems.com
  .  .  .  .  .  .  .  .  .  .  .  .  w e  c o d e.  w e  c a r e.




> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Charles Frolick
> Sent: Friday, September 21, 2001 4:30 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
> [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
>
>
> Not sure how it is used, but Frontpage extensions actually uses
> a admin.dll
> in the frontpage directories.  Need to make sure your sites
> don't need it
> for normal operation.
>
> Chuck Frolick
> ArgoNet, Inc.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron
> Hornbaker
> Sent: Friday, September 21, 2001 3:24 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
> [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
>
>
> Change the code to this and just edit the comma-delimited myBadList
> variable:
>
> <%
> 'Custom404.asp page to thwart Nimda DoS attacks on IIS
> 'by Humankind Systems, Inc. http://hksi.net/
> 'No support or guarantees of any kind are granted with this
> 'code. Use at your own risk. Distribute freely.
>
> 'Get the entire URL requested
> myRequest=Request.ServerVariables("QUERY_STRING")
>
> 'A list of filenames Nimda looks for
> myBadList="cmd.exe,root.exe,admin.dll,default.ida"
>
> 'Detect a GET request from the Nimda virus and take appropriate action
> arrBadString=Split(myBadList,",")
> for i=0 to UBound(arrBadString)
>       if inStr(myRequest,arrBadString(i))>0 then
>               'turn offending server back on itself
>               Response.redirect "http://127.0.0.1";
>       end if
> next
> %>
> <html>
> <head>
> <title>Page Not Found</title>
> </head>
> <body>
> Sorry, but that page was not found on our server.
> <p>
> Here is a link back to our <a href="/">Home Page</a>.
> </body>
> </html>
>
>
>
> Ron Hornbaker
> President/CTO
>   .  .  .  .  .  .  .  .  .  .  .  .  http://humankindsystems.com
>   .  .  .  .  .  .  .  .  .  .  .  .  w e  c o d e.  w e  c a r e.
>
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Len
> > Conrad
> > Sent: Friday, September 21, 2001 3:06 PM
> > To: [EMAIL PROTECTED]
> > Subject: Fwd: [isp-linux] Re: [imail] Buaaa Haaa Ha Haaaaaaaaa...
> >
> >
> > Ron,
> >
> > what about admin.dll, and here�s a couple more
> >
> > Len
> >
> > --------------------
> >
> >
> > >From: "Bill Larson" <[EMAIL PROTECTED]>
> > >To: [EMAIL PROTECTED]
> > >Subject: [isp-linux] Re: Buaaa Haaa Ha Haaaaaaaaa...
> > >Date: Fri, 21 Sep 2001 14:21:24 -0500
> > >X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> > >List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
> > >Reply-To: [EMAIL PROTECTED]
> > >X-INTM-Message-Id:
> > ><INTM-62637-1230739-2001.09.21-14.26.57--lconrad#go2france.com@
> > lists.isp-lists.com>
> > >X-Virus-Scanned: by VirusGate.MEIway.com
> > >X-RCPT-TO: <[EMAIL PROTECTED]>
> > >
> > >RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> > >RedirectMatch (.*)\default.ida$ http://127.0.0.1
> > >RedirectMatch (.*)\root.exe$ http://127.0.0.1
> > >
> > >I added a couple
> > >
> > >----- Original Message -----
> > >From: "Nick Weerheim" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>
> > >Sent: Friday, September 21, 2001 2:16 PM
> > >Subject: [isp-linux] Re: Buaaa Haaa Ha Haaaaaaaaa...
> > >
> > >
> > > > this is freaky.... the attacks here have stopped too....
> > thats crazy.....
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>




______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)

Reply via email to
