[Dshield] Look at this Nitwit

Rick Klinge rick at jaray.net
Thu Jan 29 01:20:58 GMT 2004


Why not just turn it back on itself?  Just add this puppy into your
exsisting 404 page.. Grab a cup of coffee and have a wonderful day.

~Rick

<%
'Get the entire URL requested
 myRequest=Request.ServerVariables("QUERY_STRING")

'A list of filenames Nimda looks for
 myBadList="cmd.exe,root.exe,admin.dll,default.ida"

'Detect a GET request from the Nimda virus and take appropriate action

arrBadString=Split(myBadList,",")
 for i=0 to UBound(arrBadString)
 if inStr(myRequest,arrBadString(i))>0 then
 'turn offending server back on itself
 Response.redirect "http://127.0.0.1"
 end if
 next
%>

> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of David Hart
> Sent: Wednesday, January 28, 2004 4:41 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Look at this Nitwit
> 
> 
> On Wed, 2004-01-28 at 16:50, Keith Bergen wrote:
> > Yes. That is a Windows IIS server that is infected with the
> > Nimda virus and trying to propagate it to your box. There's 
> > probably not a lot you can do about it apart from sending an 
> > email to his provider with the logs. . . . 
> 
> Thanks
> 
> How do you feel about a zero-byte default.ida? It saves some 
> cycles. any downside?
> > 
> 
>                                ---------
>             Quality Management - A Commitment to Excellence
> 

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list