On 19 Sep 2001, Vivek Khera wrote:
> NT> http://www.torkington.com/vermicide.txt has a mod_perl handler to
> NT> catch the requests as soon as they arrive, and discard them with a
> NT> minimum of work to Apache. If your web server is struggling under the
> NT> load, this might help.
>
> Why waste your mod_perl back-end's resources? Do it in your front end
> reverse-proxy server with mod_rewrite:
>
> # trap CodeRed and send them away!
> <Location /default.ida>
> RewriteEngine On
> RewriteRule /default.ida
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp
> [last]
> </Location>
> # trap exploits of code-red compromized systems.
> <Files "*.exe">
> RewriteEngine On
> RewriteRule .
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp
> [last]
> </Files>
>
> I'm sure the *.exe match should use a different URL inside microsoft,
> but what the heck... I had limited info when I set this up yesterday
> afternoon.
I don't believe that the worms follow redirects. And what would the
point be anyway? Overload Microsofts servers if we all could get
the worms to go there?
the above that seems like way too much work; I seem to be getting
away with the following here:
# Nimda requests
RewriteCond %{HTTP_HOST} ^www\$
RewriteRule . / [F,L]
RewriteRule ^/default.ida / [F,L]
(I put the above in the reverse proxy to "shield" the real thing
from the requests on the sites where it matters (like one where I
get a mail for each 404; it got really old really fast with this
Nimda crap).
Of course it doesn't work if you ever access the host as "www"
without the domain...
- ask
--
ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
more than a billion impressions per week, http://valueclick.com
