[Zope] de-worming

Jack Coates jack@monkeynoodle.org
Thu, 4 Oct 2001 20:01:07 -0700 (PDT)


On 4 Oct 2001, Bill Anderson wrote:

> On Thu, 2001-10-04 at 12:08, Oliver Bleutgen wrote:
> > > Hi,
> >
> > > I've put an object in Zope named default.ida and containing:
> >
> > > <dtml-call "RESPONSE.redirect('http://127.0.0.1')">
> >
> > > which seems to have stopped Code Red from being a problem. My next
> > > question is, how do I block Nimda? I need a wildcard or regexp document
> > > which will intercept any URL including "cmd.exe" or "root.exe". Any
> > > ideas?
> >
> > Hmm,
> > this is interesting. As Code Red/Nimda use their own "client"
> > implementation AFAIK, it surprises me that they follow redirects.
> > Are you sure that this really helped for Code Red?
> > How do you measure if it helped? Are you sure you just don't
> > see Code Red requests anymore because it just got extinguished
> > by Nimda?
> >
>

Are you sure it uses its own client implementation? Seems it would be
much easier to simply access mshtml.dll the way it accesses riched.dll
to modify .docs -- I can't verify either way, but here's the best write
up I've been able to find:
http://www.datafellows.com/v-descs/nimda.shtml

> Code Red died, and CodeRed II had a built in expiration of October 1.
> Which is to say it will not start new processes after that date. by now,
> it should be dead, or at least by the end of the weekend.
>
>

well that's an annoying coincidence; I quit seeing default.ida 404s in
my logs immediately after doing the change, so that was why I think it
worked.

At any rate, the Redirector1_1 isn't working as I want it to -- it's
giving a 401 authorization required now instead of a 404 file not found
or 302 temporary redirect. I suspect that means that Redirector1_1 is
_interpreting_ http://127.0.0.1 instead of _returning_ the address,
since access is denied to that address on my server (no need for it,
everything is vhosts and Zope).

Which certainly explains why Redirector1_1 is labeled "development."
-- 
Jack Coates
Monkeynoodle: A Scientific Venture...