RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd: [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)

Fri, 21 Sep 2001 11:48:45 -0700 

Great tip, Len. Here's the IIS version... just create a file in your web
root called something like "Custom404.asp", with this content (customize
the friendly part as much as you wish):

<%
'Custom404.asp page to thwart Nimda DoS attacks on IIS
'by Humankind Systems, Inc. http://hksi.net/
'No support or guarantees of any kind are granted with this
'code. Use at your own risk. Distribute freely.

'Get the entire URL requested
myRequest=Request.ServerVariables("QUERY_STRING")
'Detect a GET request from the Nimda virus and take appropriate action
if inStr(myRequest,"cmd.exe")>0 OR inStr(myRequest,"root.exe")>0 then
  'turn offending server back on itself
  Response.redirect "http://127.0.0.1";
end if
%>
<html>
<head>
<title>Page Not Found</title>
</head>
<body>
Sorry, but that page was not found on our server.
<p>
Here is a link back to our <a href="/">Home Page</a>.
</body>
</html>

Then go into your IIS properties on the default web site, to Custom
Errors, and customize the 404 error to use a URL. Enter "/Custom404.asp"
as the custom error. Test your server by entering URLs that won't be
found, and then enter some containing "cmd.exe" or "root.exe" in them.

This has the added benefit of being much smaller, kb-wise, than the
default 404 error page.


Ron Hornbaker
President/CTO
  .  .  .  .  .  .  .  .  .  .  .  .  http://humankindsystems.com
  .  .  .  .  .  .  .  .  .  .  .  .  w e  c o d e.  w e  c a r e.




> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Len
> Conrad
> Sent: Friday, September 21, 2001 1:44 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: [imail] Fwd: [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...
>
>
> Below is a "judo" trick, using HTTP redirection for Apache, to
> deflect the
> nimda GETs back to the attacker.
>
> I suppose some of you MS aces could try to come up with
> equivalent for IIS?
>
> Len




______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists

Reply via email to