81.241.202.87 - - [29/Jun/2004:21:34:51 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:53 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:55 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:56 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:58 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:59 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:35:03 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:35:04 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 271 "-" "-"
61.220.98.26 - - [30/Jun/2004:20:27:00 +0200] "GET /sumthin HTTP/1.0" 404 - "-" "-"
82.49.98.55 - - [01/Jul/2004:07:13:36 +0200] "CONNECT 207.46.133.140:21 HTTP/1.0" 403 - "-" "-"
80.109.27.118 - - [01/Jul/2004:09:43:10 +0200] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)root.exe(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/msadc\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/MSADC\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/x90\/(.*)$ [url]http://www.microsoft.com[/url]
</IfModule>
ret said:got this from another forum:
Code:<IfModule mod_rewrite.c> RedirectMatch permanent (.*)cmd.exe(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)root.exe(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)\/msadc\/(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)\/MSADC\/(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ [url]http://www.microsoft.com[/url] RedirectMatch permanent (.*)\/x90\/(.*)$ [url]http://www.microsoft.com[/url] </IfModule>
maybe this is a good solution? redirect requests?
I wonder how many people the humor is lost on.DirectAdmin Support said:Haha.. too funny.
toml said:You could try:
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)root.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/x90\/(.*)$ http://127.0.0.1
</IfModule>
sander815 said:is this a similar windows exploit?
81.23.206.226 - - [08/Jul/2004:12:29:40 +0200] "GET /default.ida?... HTTP/1.0" 404 - "-" "-"