Re: [cobalt-developers] Redirecting virus/work hits

[David Lucas <david@xxxxxxxxxxxxxxxx>]

If you are being hit with these requests, the server sending them to you is 
already infected.  Sending the requests back only adds more traffic and 
uses more of your bandwidth.  You can't really reinfect an infected 
computer.  Just delete or filter the requests and go on your way.  If you 
have a good ISP, they should suspend service to anyone infected close to 
you.  Mine has, and my traffic has dropped off drasticly.

At 05:57 PM 10/24/2001, you wrote:
> John,
>         Thanks, must have missed that one, but I am pretty sure I can 
> work off
> what you provided.  Been in a different world for a little while sorry.
>
>
> John Foster wrote:
>
> > William,
> >
> > Part of your answer was recently discussed in the list. In your httpd.conf
> > or srm.conf files add the <Directory> directive to catch known virus
> > requests:
> >
> > <Directory /home/sites/home>
> > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> > RedirectMatch (.*)\default.ida$ http://127.0.0.1
> > RedirectMatch (.*)\root.exe$ http://127.0.0.1
> > </Directory>
> >
> > <Directory /home/sites/site1>
> > RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> > RedirectMatch (.*)\default.ida$ http://127.0.0.1
> > RedirectMatch (.*)\root.exe$ http://127.0.0.1
> > </Directory>
> >
> >
> > What this will do is match the file request then redirect the caller to
> > their own web server, if they have one. Therefore they infect themselves if
> > they are a Windows server.
> >
> > How you set up the <Directory> directive will depend on how you have your
> > server configured, single host or virtual hosts. Look it up at the Apache
> > web site for documentation.
> >
> > Good luck!
> > John
> >
> > -----Original Message-----
> > From: cobalt-developers-admin@xxxxxxxxxxxxxxx
> > [mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of William L.
> > Thomson Jr.
> > Sent: Wednesday, October 24, 2001 3:15 PM
> > To: Cobalt Developers Group
> > Subject: [cobalt-developers] Redirecting virus/work hits
> >
> >
> > I am sure all of you have experienced some sort of unneeded and unwanted
> > hit for a page that only exist on MS servers which hopefully none of use
> > are running. We definitely are not.
> >
> > To me this seems possible, I am just not aware of the system vars that
> > are available or how exactly this would be done.
> >
> > I want to set up my Apache, so certain hits are redirected back to the
> > server it came from.
> >
> > Re-infect the already infected server, if that's possible.
> >
> > The hits are annoying, and I am beginning to want to take revenge on
> > those who are either stupid, un-aware of worms and viruses that have
> > been going around for some time, just refuse to upgrade and patch their
> > equipment, or refuse to move to a real platform.
> >
> > Part of me says that ISP should have contacted their customers and do
> > something about it. Anyway, sorry to complain, but I am getting close to
> > my limit with the people responsible with these machines.
> >
> >
> > --
> > Sincerely,
> > William L. Thomson Jr.
> > Obsidian-Studios Inc.
> > 439 Amber Way
> > Petaluma, Ca. 94952
> > Phone/fax 707.766.9509
> > http://www.obsidian-studios.com
> >
> > _______________________________________________
> > cobalt-developers mailing list
> > cobalt-developers@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-developers
> >
> >
> >
>
>
> --
> Sincerely,
> William L. Thomson Jr.
> Support Group
> Obsidian-Studios Inc.
> 439 Amber Way
> Petaluma, Ca. 94952
> Phone   707.766.9509
> Fax 707.766.8989
> http://www.obsidian-studios.com
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers