I found this Redirect rule thats a bit nastier :) RedirectMatch Permanent ^/(.*cmd\.exe.*)$ http://127.0.0.1/$1 RedirectMatch Permanent ^/(.*root\.exe.*)$ http://127.0.0.1/$1 RedirectMatch Permanent ^/(.*default\.ida.*)$ http://127.0.0.1/$1
Not only redirects back to them selfs but they also attach their own server. Man Regular expressions can be a danger to others How is that for evil. --- "Ted Kat." <[EMAIL PROTECTED]> wrote: > Nice, its so simple not to be the nice guy :) > > although it would be really cool to format a infected server > current laws allow said server to come down on you hard. not cool > > I did like the patch worm idea. Wow virus writers can write viri > to fix windows, what a world. > > I'll try the RedirectMatch see what happens > > Thanks Mike > > > --- Mike Schieuer <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Here's the snip you need to put in your httpd.conf > > (put it in your main > > <Directory /> definition): > > > > RedirectMatch (.*)cmd.exe(.*) http://127.0.0.1 > > RedirectMatch (.*)root.exe(.*) http://127.0.0.1 > > RedirectMatch (.*)default.ida(.*) http://127.0.0.1 > > > > > > Or if you want to be the good guy, look into Code Green... > > http://www.securityfocus.com/archive/82/211428 look at the > attached > > gz file > > at the bottom.... Basically it goes out and fixes those machines > > banging on > > your box... > > > > This link tells a little about Early Bird.... > > http://cert.uni-stuttgart.de/archive/isn/2001/08/msg00055.html > > > > It emails the owner of the address space that a box on his netwrok > is > > affected. Now days those messages probably get ingnored.... > > > > OR > > Code Red II retaliation Competition... > > http://www.kuro5hin.org/story/2001/8/8/53543/46803 > > > > > > There is a version out there in the wild that formats the > machine.... > > > > I did Code Green until Cableone got on me about complaints about > > "undesired" > > traffic coming from my IP and complaints coming in.. I moved to > > Early Bird > > and stopped doing that about a year ago because nothing was getting > > done with > > a ton of these IP's, I kept seeing the same ones in my log. And > the > > last > > link, well I'm not going to comment on in a public forum.... > > > > > > mike > > > > On Tuesday 03 February 2004 21:42, Ryan wrote: > > > At 12:05 PM 2/3/04, you wrote: > > > >Hi List, > > > > > > > > Four days my http server has been online and my access log > looks > > like > > > >a war zone from the year 2000. I thought Code Red should of > been > > gone > > > >by now. [snip]... > > > > > > I see a lot of these on my apache box, too. You can setup > apache > > to > > > redirect the request back to the host or just ignore it > completely. > > > > > > -Ryan > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.1 (GNU/Linux) > > > > iD8DBQFAMvtgmUFtrUUciv4RAqAzAJ9yuCkYYfnD6rizb2zipvSmy1bONgCcCFrn > > oKZ5SIAmFPnwlmGaHZvi7KU= > > =ErA1 > > -----END PGP SIGNATURE----- > > > > ===== > Ted Katseres > ---------------- > ------------------------ > -------------------------------- > > __________________________________ > Do you Yahoo!? > Yahoo! Mail SpamGuard - Read only the mail you want. > http://antispam.yahoo.com/tools ===== Ted Katseres ---------------- ------------------------ -------------------------------- __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
