On Fri, Sep 21, 2001 at 07:24:45AM +1000, Sam Varghese wrote: | On Thu, Sep 20, 2001 at 09:20:23AM -0700, Greg Wiley wrote: | > On Wednesday, September 19, 2001 11:55 PM, [EMAIL PROTECTED] | > | > > Nicholas Petreley had this suggestion for redirecting | > > nimda probes using Apache: | > | > > RedirectMatch ^.*\.(exe|dll).* http://support.microsoft.com | > | > Heh. I wonder if nimda actually responds to redirects. | > | > -=greg | | Looking at my logs, it seems to work: | | GET /cmd.dll HTTP/1.0" 302 | | GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 | | Same Apache redirect response as for /default.ida | and that, I know, works.
That means that apache returned redirect. How do you know if the worm actually followed it or not? You would have to make it redirect to a different part of your site (or another site you have access to the logs of) and see if it is accessed. -D
