I get tired of nimda requests from my infected “network neighbors.”
A little Googling and I found a solution: Apache’s rewrite engine can match requests against a regular expression and then rewrite them. So you take stuff that matches nimda and rewrite it to a URL that contains . . . . nothing.
RewriteEngine on RewriteRule .*/cmd.exe.* /nimda.txt RewriteRule .*/root.exe.* /nimda.txt RewriteRule .*/default.ida.* /codered.txt RewriteRule .*/Admin.dll.* /codered.txt RewriteRule .*\Admin.dll.* /codered.txt
The files I use as targets are empty:
[/www]:: ls -l *txt -rw-r--r-- 1 root wheel 0 May 14 21:52 codered.txt -rw-r--r-- 1 root wheel 0 May 14 21:51 nimda.txt
And so is the response the worm sees.
[/www]:: GET http://blue.paulbeard.org/scripts/cmd.exe (paul@blue.paulbeard.org)-(10:01 PM / Tue May 14)
From: The Anarcat <anarcat at anarcat.dyndns.org>
Or you could try this (From: Gregory Neil Shapiro <gshapiro at FreeBSD.ORG>):
RedirectMatch (.*)/(root.exe|cmd.exe|default.ida).* /goaway.html SetEnvIf Request_URI "/(root.exe|cmd.exe|default.ida|goaway.html)" MSExploitCrap CustomLog /var/log/httpd-access.log combined env=!MSExploitCrap
“With this, nothing shows up in either httpd-access.log or httpd-error.log. ”
I like the second option better since it leaves no trace.