You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Nick Tonkin <ni...@rlnt.net> on 2001/09/19 21:39:46 UTC

NIMDA worm; MSIISProbes.pm

Hello,

Now that Micro$oft has finally put out some information about their
latest trick I have posted a new version of MSIISProbes.pm.

Version 1.02 changes include putting the URL to a page containing info
about each worm into a PerlSetVar ... this means that once you have
configured MSIISProbes.pm with your e-mail and cacheing preferences, you
can add traps for new worms as Micro$oft releases them, er, discovers
them.

Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz

More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html

Comments/flames welcome.

- nick


~~~~~~~~~~~
Nick Tonkin

Re: NIMDA worm; MSIISProbes.pm

Posted by Nick Tonkin <ni...@rlnt.net>.

On Wed, 19 Sep 2001, Bruce Albrecht wrote:

> I was looking at your Apache::MSIISProbes module, and I didn't
> understand the part about the nimda rewrite rules, mostly because I
> haven't used the rewrite rules.  Do the following rules
> 
> 	RewriteCond %{REQUEST_URI} !nimda
> 	RewriteCond %{QUERY_STRING} /c.dir
> 	RewriteRule .* /nimda? [R,L]
> 
> mean unless I've already rewritten the rule, if the query string matches
> c.dir (i.e., will match c+dir found in most of the requests), rewrite
> the request as /nimda? 

right.

> From my observation, nimbda also tries c+tftp
> and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and
> /MSADC/Admin.dll.  Could I change the rewrite rules to 
> 
>     RewriteCond %{REQUEST_URI} !nimda 
>     RewriteCond %{QUERY_STRING} /c.(tftp|dir)
>     RewriteRule .* /nimda? [R,L] 
> 
> to catch either request, and then do
>     RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll
>     RewriteRule .* /nimda? [R,L]
> to catch the others?
> 

Well, the rules you put forward seem fine, but I'm not sure you'll catch
everything ... 

BTW the '?' on the end is to remove the query string ... if you leave it
off mod_rewrite puts the original one back.

- nick

Re: NIMDA worm; MSIISProbes.pm

Posted by Bruce Albrecht <br...@zuhause.mn.org>.

Nick Tonkin writes:
 > Now that Micro$oft has finally put out some information about their
 > latest trick I have posted a new version of MSIISProbes.pm.
 > 
 > Version 1.02 changes include putting the URL to a page containing info
 > about each worm into a PerlSetVar ... this means that once you have
 > configured MSIISProbes.pm with your e-mail and cacheing preferences, you
 > can add traps for new worms as Micro$oft releases them, er, discovers
 > them.
 > 
 > Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz
 > 
 > More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html

I was looking at your Apache::MSIISProbes module, and I didn't
understand the part about the nimda rewrite rules, mostly because I
haven't used the rewrite rules.  Do the following rules

	RewriteCond %{REQUEST_URI} !nimda
	RewriteCond %{QUERY_STRING} /c.dir
	RewriteRule .* /nimda? [R,L]

mean unless I've already rewritten the rule, if the query string matches
c.dir (i.e., will match c+dir found in most of the requests), rewrite
the request as /nimda?  From my observation, nimbda also tries c+tftp
and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and
/MSADC/Admin.dll.  Could I change the rewrite rules to 

    RewriteCond %{REQUEST_URI} !nimda 
    RewriteCond %{QUERY_STRING} /c.(tftp|dir)
    RewriteRule .* /nimda? [R,L] 

to catch either request, and then do
    RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll
    RewriteRule .* /nimda? [R,L]
to catch the others?

Thanks.