On Thu, 7 Nov 2002 11:46:19 -0800 Todd Lyons <[EMAIL PROTECTED]> wrote:
> Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. > > my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > <IfModule mod_rewrite.c> > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > </IfModule> > > Blue skies... Todd Hi Todd, Thanks for the suggestion... I've added the following to my web page at http://new.pfortin.com/Linux/MSVTS/ -- any suggestions for improving the message are welcome... as stated at the bottom of most of my web pages, the information is covered by the GnuFDL; so have at it... :^) I'm monitoring my logs and sniffing the http traffic to make sure this works (still waiting -- I have a lot of DROP entries in my iptables)... if not, I'll update the info. Thanks, Pierre -------------------------------------------- Update -- 11/08/2002 After some tips from the Mandrake Expert list, and some analysis of my logs, I've made a change to my web server configuration: <IfModule mod_rewrite.c> RedirectMatch (.*\.exe.*) http://www.microsoft.com$1 </IfModule> Simply put: this change redirects any URL request containing .exe to the web site of the company that provides the platforms on which these viruses and trojans thrive. For over a year, I've referred to the Micro$oft Windows operating system as a Virus Transport System on my pages. I also posted a warning that I would act in self-defense against any attacks on my systems. As seen below, I have implemented automated procedures which attempted to notify the owners of the infected systems. Thousands of e-mails were injected into infected systems (probably unread since Windows is not a multi-user system and the owners are not setup to check for mail on their own machines), and many more thousands were rejected by other infected systems. Now, rather than try to get the individual machine owners to fix their infected hosts, I am now taking my battle to the root cause of these attacks: Microsoft! I do not, and will never serve .exe pages/files; so there is no valid reason for such URLs to hit my servers. Any that do, can only be considered attacks on my machines by Microsoft platforms (or Microsoft Virus Transport System inspired platforms). Therefore, all future attempts will be redirected to the platform provider. My servers are now configured to redirect all attacks where the URL contains .exe to Microsoft, since my servers are totally M$-free. Now that Microsoft has changed its licensing to further ensure that their software is considered more of a loan, it makes even more sense to redirect attacks to the owner of the software platform. If it became possible to identify the hardware platform during these attacks, I would also redirect the attacks to the appropriate hardware vendor. It is interesting to note that a Google search for "microsoft virus transport system" returns over 40,000 hits and the very first one contains a pointer to one of my web sites. Searching for "micro$oft virus transport system" yields over 700 hits; mine is first again. So my claims of self-defense are no secret.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
