You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Chris Zakelj <c....@ieee.org> on 2004/07/13 02:56:24 UTC
[users@httpd] mod_rewrite versus webdav exploit
I've done a fair bit of googling, and think mod_rewrite is exactly what
I need to handle the tons of
68.184.63.84 - - [12/Jul/2004:23:20:02 +0000] "SEARCH
/\x90\x02±\x02±\x02±\x02±.....
crap that hits my logs, as well as the (still present) default.ida and
other microsoft crud still floating around. In that search, I found
http://forums.macosxhints.com/showthread.php?t=22371, which suggests
adding...
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>
to httpd.conf, except for two problems I found after reading the
mod_rewrite docs/examples on the apache website... first, there isn't a
"RewriteEngine on" directive, and second, there doesn't appear to be a
"RedirectMatch" directive to begin with. Apart from adding the 'engine
on', I'm not sure what else I need to do to get this running properly.
I *think* i can write it as a series of...
RewriteCond %{QUERY_STRING} (.*)cmd.exe(.*)$ [OR]
...
RewriteRule * http://myserver.net/disallowed.html
but I'm not sure, and would like a more seasoned mod_rewrite person to
give a thumbs up, or lead me in the right direction. (The disallowed
page is a text only page that basically says "Go get your worm-infested
box scanned and patched, 'cause I really don't like being scanned")
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_rewrite versus webdav exploit
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 12 Jul 2004 20:56:24 -0400, Chris Zakelj <c....@ieee.org> wrote:
> I've done a fair bit of googling, and think mod_rewrite is exactly what
> I need to handle the tons of
>
> 68.184.63.84 - - [12/Jul/2004:23:20:02 +0000] "SEARCH
> /\x90\x02±\x02±\x02±\x02±.....
>
> crap that hits my logs, as well as the (still present) default.ida and
> other microsoft crud still floating around. In that search, I found
> http://forums.macosxhints.com/showthread.php?t=22371, which suggests
> adding...
>
> <IfModule mod_rewrite.c>
> RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
These use mod_alias rather than mod_rewrite.
But they don't do anything really useful in any case. At best, they
will just keep the request out of the error log.
By far the best way to handle such requests is just to post-process
your log files to remove anything that isn't of interest to you.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org