Hi,
I've put an object in Zope named default.ida and containing:
<dtml-call "RESPONSE.redirect('http://127.0.0.1')">
which seems to have stopped Code Red from being a problem. My next question is, how do I block Nimda? I need a wildcard or regexp document which will intercept any URL including "cmd.exe" or "root.exe". Any ideas?
Hmm, this is interesting. As Code Red/Nimda use their own "client" implementation AFAIK, it surprises me that they follow redirects. Are you sure that this really helped for Code Red? How do you measure if it helped? Are you sure you just don't see Code Red requests anymore because it just got extinguished by Nimda? cheers, oliver
On Thu, 2001-10-04 at 12:08, Oliver Bleutgen wrote:
Hi,
I've put an object in Zope named default.ida and containing:
<dtml-call "RESPONSE.redirect('http://127.0.0.1')">
which seems to have stopped Code Red from being a problem. My next question is, how do I block Nimda? I need a wildcard or regexp document which will intercept any URL including "cmd.exe" or "root.exe". Any ideas?
Hmm, this is interesting. As Code Red/Nimda use their own "client" implementation AFAIK, it surprises me that they follow redirects. Are you sure that this really helped for Code Red? How do you measure if it helped? Are you sure you just don't see Code Red requests anymore because it just got extinguished by Nimda?
Code Red died, and CodeRed II had a built in expiration of October 1. Which is to say it will not start new processes after that date. by now, it should be dead, or at least by the end of the weekend.
On 4 Oct 2001, Bill Anderson wrote:
On Thu, 2001-10-04 at 12:08, Oliver Bleutgen wrote:
Hi,
I've put an object in Zope named default.ida and containing:
<dtml-call "RESPONSE.redirect('http://127.0.0.1')">
which seems to have stopped Code Red from being a problem. My next question is, how do I block Nimda? I need a wildcard or regexp document which will intercept any URL including "cmd.exe" or "root.exe". Any ideas?
Hmm, this is interesting. As Code Red/Nimda use their own "client" implementation AFAIK, it surprises me that they follow redirects. Are you sure that this really helped for Code Red? How do you measure if it helped? Are you sure you just don't see Code Red requests anymore because it just got extinguished by Nimda?
Are you sure it uses its own client implementation? Seems it would be much easier to simply access mshtml.dll the way it accesses riched.dll to modify .docs -- I can't verify either way, but here's the best write up I've been able to find: http://www.datafellows.com/v-descs/nimda.shtml
Code Red died, and CodeRed II had a built in expiration of October 1. Which is to say it will not start new processes after that date. by now, it should be dead, or at least by the end of the weekend.
well that's an annoying coincidence; I quit seeing default.ida 404s in my logs immediately after doing the change, so that was why I think it worked. At any rate, the Redirector1_1 isn't working as I want it to -- it's giving a 401 authorization required now instead of a 404 file not found or 302 temporary redirect. I suspect that means that Redirector1_1 is _interpreting_ http://127.0.0.1 instead of _returning_ the address, since access is denied to that address on my server (no need for it, everything is vhosts and Zope). Which certainly explains why Redirector1_1 is labeled "development." -- Jack Coates Monkeynoodle: A Scientific Venture...
[Bill Anderson]
Code Red died, and CodeRed II had a built in expiration of October 1. Which is to say it will not start new processes after that date. by now, it should be dead, or at least by the end of the weekend.
According to Steve Gibson's site, there are enough computers out there with incorrect dates that these worms get reactivated and send out new episodes of infection. Look at his site, http://grc.com/codered/codered.htm Of course, he wrote that in July or Augist. Cheers, Tom P
participants (4)
-
Bill Anderson -
Jack Coates -
Oliver Bleutgen -
Thomas B. Passin