Tribe.net. Local Connections robt. http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#a20cde0a-bf94-4be9-b6d8-b138c00609f4 2004-06-23T15:59:18Z 2004-06-23T15:59:18Z

Nice. I'll have to try it one of these days.

robt. 2004-06-23T15:59:18Z $item.owner.firstName http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#e6d4babc-7c23-419d-a3f1-b782acf80d31 2004-06-23T15:52:12Z 2004-06-23T15:52:12Z

Thanks!! I've updated my httpd.conf, restarted and tested it and it works perfectly.

$item.owner.firstName 2004-06-23T15:52:12Z robt. http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#3bbb2c68-086a-4886-9305-8adb0c12cd2e 2004-06-17T23:44:16Z 2004-06-17T23:44:16Z

google will translate this page. http://lists.linux.it/pipermail/bglug/2004-March/006143.html I used, RedirectMatch permanent */MSADC* http://127.0.0.1 as a search query. One page of results. You will see the link toward the bottom. [bglug] Attacco a server win - [ Translate this page ] Hope it's helpful.

robt. 2004-06-17T23:44:16Z robt. http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#5b489d8c-e867-4ed8-9252-c8eb81a57bed 2004-06-17T23:39:20Z 2004-06-17T23:39:20Z

> RedirectMatch permanent .*/scripts/root.exe.* http://127.0.0.1=20 > RedirectMatch permanent .*/MSADC/root.exe.* http://127.0.0.1=20 > RedirectMatch permanent .*system32/cmd.exe.* http://127.0.0.1=20 > RedirectMatch permanent .*MSOffice/cltreq.asp.* http://127.0.0.1=20 > RedirectMatch permanent .*_vti_bin/owssvr.dll.* http://127.0.0.1=20 > RedirectMatch permanent .*_vti_bin/shtml.exe/_vti_rpc.* http://127.0.0.1 > RedirectMatch permanent .*_vti_inf.html.* http://127.0.0.1 all the documentation was in Spanish but if you speak Spanish, https://listas.hispalinux.es/pipermail/linux-madrid/2002-September/001440.html Interesting.

robt. 2004-06-17T23:39:20Z $item.owner.firstName http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#be112833-6a95-48c3-a6dd-eed7fc23f474 2004-06-17T22:17:26Z 2004-06-17T22:17:26Z

/MSADC I've been looking at the Apache docs. This is close, but I haven't tried it yet: RedirectMatch permanent */MSADC* http://127.0.0.1 ... and so forth The idea being that the attacker will get a response (if he's running a web server) and will log his own machine as an exploitable target.

$item.owner.firstName 2004-06-17T22:17:26Z robt. http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#3266540f-7209-4242-b00c-6aee32cd5e79 2004-06-17T21:29:09Z 2004-06-17T21:29:09Z

No, I'm not familiar with that tactic. It looks fun though. I have been using tarpit in iptables. iptables -A INPUT -p tcp -m tcp -dport 137 -j TARPIT Are you going to try it (the redirect) out? If you do please post your findings.

robt. 2004-06-17T21:29:09Z $item.owner.firstName http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#fe901aca-9c79-444d-a703-907cf7438d98 2004-06-17T20:07:45Z 2004-06-17T20:07:45Z

I once saw a piece of a config script that redirected attackers back to themselves. Something like checking for a request for /MSADC/root.exe?/c+dir then redirecting to 127.0.0.1 . Has anyone seen this?

$item.owner.firstName 2004-06-17T20:07:45Z