http://apacheservers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f?format=rss Tribe.net. Local Connections http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#a20cde0a-bf94-4be9-b6d8-b138c00609f4 Nice. I'll have to try it one of these days. Wed, 23 Jun 2004 15:59:18 GMT http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#a20cde0a-bf94-4be9-b6d8-b138c00609f4 robt. 2004-06-23T15:59:18Z http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#e6d4babc-7c23-419d-a3f1-b782acf80d31 Thanks!! I've updated my httpd.conf, restarted and tested it and it works perfectly. Wed, 23 Jun 2004 15:52:12 GMT http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#e6d4babc-7c23-419d-a3f1-b782acf80d31 $item.owner.firstName 2004-06-23T15:52:12Z http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#3bbb2c68-086a-4886-9305-8adb0c12cd2e google will translate this page. http://lists.linux.it/pipermail/bglug/2004-March/006143.html I used, RedirectMatch permanent */MSADC* http://127.0.0.1 as a search query. One page of results. You will see the link toward the bottom. [bglug] Attacco a server win - [ Translate this page ] Hope it's helpful. Thu, 17 Jun 2004 23:44:16 GMT http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#3bbb2c68-086a-4886-9305-8adb0c12cd2e robt. 2004-06-17T23:44:16Z http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#5b489d8c-e867-4ed8-9252-c8eb81a57bed > RedirectMatch permanent .*/scripts/root.exe.* http://127.0.0.1=20 > RedirectMatch permanent .*/MSADC/root.exe.* http://127.0.0.1=20 > RedirectMatch permanent .*system32/cmd.exe.* http://127.0.0.1=20 > RedirectMatch permanent .*MSOffice/cltreq.asp.* http://127.0.0.1=20 > RedirectMatch permanent .*_vti_bin/owssvr.dll.* http://127.0.0.1=20 > RedirectMatch permanent .*_vti_bin/shtml.exe/_vti_rpc.* http://127.0.0.1 > RedirectMatch permanent .*_vti_inf.html.* http://127.0.0.1 all the documentation was in Spanish but if you speak Spanish, https://listas.hispalinux.es/pipermail/linux-madrid/2002-September/001440.html Interesting. Thu, 17 Jun 2004 23:39:20 GMT http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#5b489d8c-e867-4ed8-9252-c8eb81a57bed robt. 2004-06-17T23:39:20Z http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#be112833-6a95-48c3-a6dd-eed7fc23f474 /MSADC I've been looking at the Apache docs. This is close, but I haven't tried it yet: RedirectMatch permanent */MSADC* http://127.0.0.1 ... and so forth The idea being that the attacker will get a response (if he's running a web server) and will log his own machine as an exploitable target. Thu, 17 Jun 2004 22:17:26 GMT http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#be112833-6a95-48c3-a6dd-eed7fc23f474 $item.owner.firstName 2004-06-17T22:17:26Z http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#3266540f-7209-4242-b00c-6aee32cd5e79 No, I'm not familiar with that tactic. It looks fun though. I have been using tarpit in iptables. iptables -A INPUT -p tcp -m tcp -dport 137 -j TARPIT Are you going to try it (the redirect) out? If you do please post your findings. Thu, 17 Jun 2004 21:29:09 GMT http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#3266540f-7209-4242-b00c-6aee32cd5e79 robt. 2004-06-17T21:29:09Z http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#fe901aca-9c79-444d-a703-907cf7438d98 I once saw a piece of a config script that redirected attackers back to themselves. Something like checking for a request for /MSADC/root.exe?/c+dir then redirecting to 127.0.0.1 . Has anyone seen this? Thu, 17 Jun 2004 20:07:45 GMT http://ApacheServers.tribe.net/thread/d0736157-cd6b-4770-a5a6-f5b27c91b11f#fe901aca-9c79-444d-a703-907cf7438d98 $item.owner.firstName 2004-06-17T20:07:45Z