Nick Tonkin writes:
> Now that Micro$oft has finally put out some information about their
> latest trick I have posted a new version of MSIISProbes.pm.
>
> Version 1.02 changes include putting the URL to a page containing info
> about each worm into a PerlSetVar ... this means that once you have
> configured MSIISProbes.pm with your e-mail and cacheing preferences, you
> can add traps for new worms as Micro$oft releases them, er, discovers
> them.
>
> Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz
>
> More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html
I was looking at your Apache::MSIISProbes module, and I didn't
understand the part about the nimda rewrite rules, mostly because I
haven't used the rewrite rules. Do the following rules
RewriteCond %{REQUEST_URI} !nimda
RewriteCond %{QUERY_STRING} /c.dir
RewriteRule .* /nimda? [R,L]
mean unless I've already rewritten the rule, if the query string matches
c.dir (i.e., will match c+dir found in most of the requests), rewrite
the request as /nimda? From my observation, nimbda also tries c+tftp
and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and
/MSADC/Admin.dll. Could I change the rewrite rules to
RewriteCond %{REQUEST_URI} !nimda
RewriteCond %{QUERY_STRING} /c.(tftp|dir)
RewriteRule .* /nimda? [R,L]
to catch either request, and then do
RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll
RewriteRule .* /nimda? [R,L]
to catch the others?
Thanks.
