At home I dealt with it like this: from /var/www ... drwxr-xr-x 4 root root 1024 Dec 2 12:54 IIS_Worms lrwxrwxrwx 1 root root 9 Dec 2 12:51 MSADC -> IIS_Worms lrwxrwxrwx 1 root root 9 Dec 2 12:53 _mem_bin -> IIS_Worms lrwxrwxrwx 1 root root 9 Dec 2 12:54 _vti_bin -> IIS_Worms ...
caffeine:/var/www# l IIS_Worms/ total 1 -rw-r--r-- 1 root root 0 Dec 2 12:51 cmd.exe -rw-r--r-- 1 root root 0 Dec 2 12:50 root.exe drwxr-xr-x 2 root root 1024 Dec 2 12:52 winnt The remote machine gets a 200 rather than a 404, which gets logged as an access by apache, rather than an error. Kind-of moving the symptoms rather than dealing to the problem The main drawback is that webaliser reports the most popular files on my web server are root.exe and so on... ten times more popular than /index.html As an aside, in the days of code red 1 I had /var/www/default.ida linked to /dev/zero, but it generated an unbelievable amount of traffic. > ---------- > From: Mark Carey[SMTP:[EMAIL PROTECTED]] > Sent: Wednesday, January 30, 2002 6:46 PM > To: [EMAIL PROTECTED] > Subject: Mature comments appreciated > > I am currently 'playing' with apache, does anyone here ever get tired of; > > <snip> > [Wed Jan 30 15:30:59 2002] [error] [client 210.74.146.190] File does not > exist: /somedir/scripts/root.exe > [Wed Jan 30 15:31:01 2002] [error] [client 210.74.146.190] File does not > exist: /somedir/MSADC/root.exe > [Wed Jan 30 15:31:03 2002] [error] [client 210.74.146.190] File does not > exist: /somedir/c/winnt/system32/cmd.exe > [Wed Jan 30 15:31:05 2002] [error] [client 210.74.146.190] File does not > exist: /somedir/d/winnt/system32/cmd.exe > [Wed Jan 30 15:31:06 2002] [error] [client 210.74.146.190] File does not > exist: /somedir/scripts/..%5c../winnt/system32/cmd.exe > [Wed Jan 30 15:31:08 2002] [error] [client 210.74.146.190] File does not > exist: /somedir/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe > [Wed Jan 30 15:31:10 2002] [error] [client 210.74.146.190] File does not > exist: /somedir/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe > [Wed Jan 30 15:31:12 2002] [error] [client 210.74.146.190] File does not > exist: > /somedir/msadc/..%5c../..%5c../..%5c/..�^\../..�^\../..�^\../winnt/system3 > 2/cmd.exe > </snip> > > I mean this attack was directed at an NT/2k/XP machine. I have whois'ed > the > IP and have someone to complain to, what is the general attitude here > towards responding to provocation such as this? > > I do realise that .190 is not a specific address and will probably not be > traceable back to the purpotrating computer. But someone needs a good > stiff > slaping with a dripping wet trout. > > Mark Carey > > > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > >
