The problem with doing this is that this thing is already causing DoS
symptoms on the internet due to the massive amount of traffic it is causing.
Returning it will only double network traffic. Are you sure you want to add
to the problem?
Chuck
-----Original Message-----
From: AOLserver Discussion [mailto:[EMAIL PROTECTED]]On Behalf
Of Jim Wilcoxson
Sent: Tuesday, September 18, 2001 1:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [AOLSERVER] Code Rainbow attacks
Try installing this in your modules/tcl directory:
# procedure to reflect nimda virus calls to (maybe) crash the attacker
instead
ns_log notice "loading nimda.tcl"
ns_register_filter preauth GET /scripts/* nimda
proc nimda {conn ignore} {
set req [ns_conn request]
set reqlist [split $req " "]
set url [lindex $reqlist 1]
set host [ns_conn peeraddr]
ns_returnredirect http://$host$url
return
}
ns_log notice "nimda.tcl loaded"
Also available at http://www.rubylane.com/public/nimda.tcl.txt
It tells the attacker to attack himself. Not sure if it'll follow the
redirect, but it's worth a shot.
Jim
>
> And still more information is at
>
http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
>
