You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Ed Sawicki <ed...@alcpress.com> on 2005/12/20 05:48:22 UTC

[users@httpd] RedirectMatch

I'm administering an Apache server that runs PHP-based
Webapps that I have not written and cannot change. These
Webapps are being successfully attacked. Here's an
example from the log:

66.57.121.127 - - [19/Dec/2005:19:50:46 -0800] "GET
/phplive/image_tracker.php?l=Bob&x=1&deptid=0&page=
http%3A//www.pcbpro.com/pcb-quote.php%3FWT.mc_id%3D
psepi00003%26referrer%3Dhttp%253a%252f%252fz-quest.com
%252fgo.php%253fidUser%253d36%2526z%253dasaphczzhihd
%2526idXmlFeed%253d37%2526idKeyword%253d145%2526
idSearchStatus%253d2%2526st%253d%2526url%253duggc
%253a%252f%252fgkpyvpx.rcvybg.pbz%252fpyvpx.nfck
%2540aoavhy%2540x%253dryrpgebavpf%2540aoaphy%2540o
%253d700%2540aoaphy%2540c%253drcvybg%2540aoaphy
%2540f%253dmdhrfgz%2540aoaphy%2540cbf%253d1%2540aoaphy
%2540g%253d24%2540aoaphy%2540xvq%253dQP8N5Q43-Q517-40O0-
87Q9-P281S6QN0458%2540aoaphy%2540rc%253d255%2540aoaphy
%2540fvq%253d815O3P57-3PS6-41S0-80S9-N79084865R39%2540
aoaphy%2540y%253duggc%253a%2540aoamhy%25402S%2540aoamhy
%25402Sjjj.cpoceb.pbz%2540aoamhy%25402Scpo-dhbgr.cuc
%2540aoamhy%25403SJG.zp_vq%253dcfrcv00003%2526ts
%253danaihxzszxhdzahczmzh%2526rb%253daaaphfhpzf
%2526is%253d66%25252E57%25252E121%25252E127%2526
idDomain%253d0&unique=1135050643687 HTTP/1.1" 200 43

In this example, I'd like to detect the string "go.php"
and redirect the request elsewhere. I've tried to
use RedirectMatch but nothing I've tried works.
Here's just one example of the many, many statements
I've tried:

RedirectMatch   301 (.*)go\.php        http://127.0.0.1

This is Apache 2.0.46 with mod_alias loaded.

Ed

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RedirectMatch

Posted by Eric <ef...@kwinternet.com>.

Hi,

mod_security is interesting, it definitely looks like the right idea for 
this guy's situation, but it is kind of funny in a way, if you need 
mod_security you are already somewhat screwed, but it is nice to have 
around.. :)

Eric


At 07:32 AM 12/20/2005, Joshua Slive wrote:
>On 12/19/05, Ed Sawicki <ed...@alcpress.com> wrote:> I'm administering an 
>Apache server that runs PHP-based> Webapps that I have not written and 
>cannot change. These> Webapps are being successfully attacked. Here's an> 
>example from the log:>> 66.57.121.127 - - [19/Dec/2005:19:50:46 -0800] 
>"GET> /phplive/image_tracker.php?l=Bob&x=1&deptid=0&page=> 
>http%3A//www.pcbpro.com/pcb-quote.php%3FWT.mc_id%3D> 
>psepi00003%26referrer%3Dhttp%253a%252f%252fz-quest.com> 
>%252fgo.php%253fidUser%253d36%2526z%253dasaphczzhihd> 
>%2526idXmlFeed%253d37%2526idKeyword%253d145%2526> 
>idSearchStatus%253d2%2526st%253d%2526url%253duggc> 
>%253a%252f%252fgkpyvpx.rcvybg.pbz%252fpyvpx.nfck> 
>%2540aoavhy%2540x%253dryrpgebavpf%2540aoaphy%2540o> 
>%253d700%2540aoaphy%2540c%253drcvybg%2540aoaphy> 
>%2540f%253dmdhrfgz%2540aoaphy%2540cbf%253d1%2540aoaphy> 
>%2540g%253d24%2540aoaphy%2540xvq%253dQP8N5Q43-Q517-40O0-> 
>87Q9-P281S6QN0458%2540aoaphy%2540rc%253d255%2540aoaphy> 
>%2540fvq%253d815O3P57-3PS6-41S0-80S9-N79084865R39%2540> 
>aoaphy%2540y%253duggc%253a%2540aoamhy%25402S%2540aoamhy> 
>%25402Sjjj.cpoceb.pbz%2540aoamhy%25402Scpo-dhbgr.cuc> 
>%2540aoamhy%25403SJG.zp_vq%253dcfrcv00003%2526ts> 
>%253danaihxzszxhdzahczmzh%2526rb%253daaaphfhpzf> 
>%2526is%253d66%25252E57%25252E121%25252E127%2526> 
>idDomain%253d0&unique=1135050643687 HTTP/1.1" 200 43>> In this example, 
>I'd like to detect the string "go.php"> and redirect the request 
>elsewhere. I've tried to> use RedirectMatch but nothing I've tried works.> 
>Here's just one example of the many, many statements> I've tried:>> 
>RedirectMatch   301 (.*)go\.php        http://127.0.0.1>> This is Apache 
>2.0.46 with mod_alias loaded.
>Ouch.  Very old apache version with very vulnerable php apps.  Youseem to 
>be in a very bad situation.
>Anyway, the mod_alias directives cannot act on the query string (thepart 
>after the ?).  If you need that, you can do something like
>RewriteEngine OnRewriteCond %{QUERY_STRING} go\.phpRewriteRule .* - [F]
>You can also look at mod_security (external module).
>Joshua.

Eric Frazier CTO
DM Contact Management
611-201 Discovery St.
Victoria BC Canada
office (250) 383-8267 ext 229
cell (250) 514-2889
eric@dmcontact.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RedirectMatch

Posted by Ed Sawicki <ed...@alcpress.com>.

Joshua Slive wrote:
> On 12/19/05, Ed Sawicki <ed...@alcpress.com> wrote:
> 
>>I'm administering an Apache server that runs PHP-based
>>Webapps that I have not written and cannot change. These
>>Webapps are being successfully attacked. Here's an
>>example from the log:
>>
>>66.57.121.127 - - [19/Dec/2005:19:50:46 -0800] "GET
>>/phplive/image_tracker.php?l=Bob&x=1&deptid=0&page=
>>http%3A//www.pcbpro.com/pcb-quote.php%3FWT.mc_id%3D
>>psepi00003%26referrer%3Dhttp%253a%252f%252fz-quest.com
>>%252fgo.php%253fidUser%253d36%2526z%253dasaphczzhihd
>>%2526idXmlFeed%253d37%2526idKeyword%253d145%2526
>>idSearchStatus%253d2%2526st%253d%2526url%253duggc
>>%253a%252f%252fgkpyvpx.rcvybg.pbz%252fpyvpx.nfck
>>%2540aoavhy%2540x%253dryrpgebavpf%2540aoaphy%2540o
>>%253d700%2540aoaphy%2540c%253drcvybg%2540aoaphy
>>%2540f%253dmdhrfgz%2540aoaphy%2540cbf%253d1%2540aoaphy
>>%2540g%253d24%2540aoaphy%2540xvq%253dQP8N5Q43-Q517-40O0-
>>87Q9-P281S6QN0458%2540aoaphy%2540rc%253d255%2540aoaphy
>>%2540fvq%253d815O3P57-3PS6-41S0-80S9-N79084865R39%2540
>>aoaphy%2540y%253duggc%253a%2540aoamhy%25402S%2540aoamhy
>>%25402Sjjj.cpoceb.pbz%2540aoamhy%25402Scpo-dhbgr.cuc
>>%2540aoamhy%25403SJG.zp_vq%253dcfrcv00003%2526ts
>>%253danaihxzszxhdzahczmzh%2526rb%253daaaphfhpzf
>>%2526is%253d66%25252E57%25252E121%25252E127%2526
>>idDomain%253d0&unique=1135050643687 HTTP/1.1" 200 43
>>
>>In this example, I'd like to detect the string "go.php"
>>and redirect the request elsewhere. I've tried to
>>use RedirectMatch but nothing I've tried works.
>>Here's just one example of the many, many statements
>>I've tried:
>>
>>RedirectMatch   301 (.*)go\.php        http://127.0.0.1
>>
>>This is Apache 2.0.46 with mod_alias loaded.
> 
> 
> Ouch.  Very old apache version with very vulnerable php apps.  You
> seem to be in a very bad situation.
> 
> Anyway, the mod_alias directives cannot act on the query string (the
> part after the ?).

Ahhh, I must have missed this in the documentation. Thanks.

Ed




   If you need that, you can do something like
> 
> RewriteEngine On
> RewriteCond %{QUERY_STRING} go\.php
> RewriteRule .* - [F]
> 
> You can also look at mod_security (external module).
> 
> Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RedirectMatch

Posted by Joshua Slive <jo...@slive.ca>.

On 12/19/05, Ed Sawicki <ed...@alcpress.com> wrote:
> I'm administering an Apache server that runs PHP-based
> Webapps that I have not written and cannot change. These
> Webapps are being successfully attacked. Here's an
> example from the log:
>
> 66.57.121.127 - - [19/Dec/2005:19:50:46 -0800] "GET
> /phplive/image_tracker.php?l=Bob&x=1&deptid=0&page=
> http%3A//www.pcbpro.com/pcb-quote.php%3FWT.mc_id%3D
> psepi00003%26referrer%3Dhttp%253a%252f%252fz-quest.com
> %252fgo.php%253fidUser%253d36%2526z%253dasaphczzhihd
> %2526idXmlFeed%253d37%2526idKeyword%253d145%2526
> idSearchStatus%253d2%2526st%253d%2526url%253duggc
> %253a%252f%252fgkpyvpx.rcvybg.pbz%252fpyvpx.nfck
> %2540aoavhy%2540x%253dryrpgebavpf%2540aoaphy%2540o
> %253d700%2540aoaphy%2540c%253drcvybg%2540aoaphy
> %2540f%253dmdhrfgz%2540aoaphy%2540cbf%253d1%2540aoaphy
> %2540g%253d24%2540aoaphy%2540xvq%253dQP8N5Q43-Q517-40O0-
> 87Q9-P281S6QN0458%2540aoaphy%2540rc%253d255%2540aoaphy
> %2540fvq%253d815O3P57-3PS6-41S0-80S9-N79084865R39%2540
> aoaphy%2540y%253duggc%253a%2540aoamhy%25402S%2540aoamhy
> %25402Sjjj.cpoceb.pbz%2540aoamhy%25402Scpo-dhbgr.cuc
> %2540aoamhy%25403SJG.zp_vq%253dcfrcv00003%2526ts
> %253danaihxzszxhdzahczmzh%2526rb%253daaaphfhpzf
> %2526is%253d66%25252E57%25252E121%25252E127%2526
> idDomain%253d0&unique=1135050643687 HTTP/1.1" 200 43
>
> In this example, I'd like to detect the string "go.php"
> and redirect the request elsewhere. I've tried to
> use RedirectMatch but nothing I've tried works.
> Here's just one example of the many, many statements
> I've tried:
>
> RedirectMatch   301 (.*)go\.php        http://127.0.0.1
>
> This is Apache 2.0.46 with mod_alias loaded.

Ouch.  Very old apache version with very vulnerable php apps.  You
seem to be in a very bad situation.

Anyway, the mod_alias directives cannot act on the query string (the
part after the ?).  If you need that, you can do something like

RewriteEngine On
RewriteCond %{QUERY_STRING} go\.php
RewriteRule .* - [F]

You can also look at mod_security (external module).

Joshua.