Josh Trutwin wrote:

> I'm actually having some trouble trying to test this on some rules.  I changed it to:
> and when I call http://trutwins.homeip.net/default.ida I get redirected to ms.com, but not when I call http://trutwins.homeip.net/cmd.exe

This looked like fun so I modified your matching somewhat
(avoided full regexp's)... I have lots of examples in my logs
to choose from...:

    # redirect M$ IIS probes
    RedirectMatch permanent ^/default.ida http://www.microsoft.com/
    RedirectMatch permanent ^/_vti_bin    http://www.microsoft.com/
    RedirectMatch permanent ^/_mem_bin    http://www.microsoft.com/
    RedirectMatch permanent ^/scripts     http://www.microsoft.com/
    RedirectMatch permanent ^/msadc       http://www.microsoft.com/
    RedirectMatch permanent ^/MSADC       http://www.microsoft.com/
    RedirectMatch permanent ^/\x90        http://www.microsoft.com/
    # send them to bill
    # RedirectMatch permanent \.exe       http://www.microsoft.com/
    # send their message to bill
    RedirectMatch permanent (.*\.exe.*)   http://www.microsoft.com$1

So all this really accomplishes is it gives them a 301 instead of a 302...
You still get cruft in your logs.

What I found amusing is that nearly ALL of the long URL probes (x90...)
ALSO had probes on ports 1025 2745 3127 6129.  Sure enough, google shows
many people suspect this as a variant of MyDoom or Agobot/Gaobot.

--Tom

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list