Re: SEARCH attack

Mon, 07 Jun 2004 14:54:09 -0500


The only problem I have with using Mod_Rewrite for this sort of thing is if you want to do it to every VirtualHost on your server, and you're a heavy user of Mod_Rewrite, you have to add that entire set to EVERY VirtualHost container, because Mod_Rewrite commands within a VirtualHost container take precedence over those in the main server config. So if you have a RewriteRule ^/.* in a VirtualHost, that virtualHost won't pick up any RewriteRule's in the main config :^(

A bummer when you want to use one standard robots.txt file for all sites in your config.

As I don't use Mod_Alias for anything else, this seems to be a cleaner way of doing this. Assuming Mod_Alias gets first dibs at the request, of course. :^)


On Jun 7, 2004, at 1:43 PM, Yves J. wrote:

I think this is even better:

<IfModule mod_rewrite.c>
 RewriteEngine on
  # Uncomment these if you want an intrusion log.
  # RewriteLog /var/log/worms-kiddies.log
  # RewriteLogLevel 1
  RewriteRule ^/(.*)cmd.exe(.*)$ http://sameserver/police.php [L]
  RewriteRule ^/(.*)root.exe(.*)$ http://sameserver/police.php
  RewriteRule ^/(.*)\/_vti_bin\/(.*)$ http://sameserver/police.php
  RewriteRule ^/(.*)\/scripts\/\.\.(.*)$ http://sameserver/police.php
  RewriteRule ^/(.*)\/_mem_bin\/(.*)$ http://sameserver/police.php
  RewriteRule ^/(.*)\/msadc\/(.*)$ http://sameserver/police.php
  RewriteRule ^/(.*)\/MSADC\/(.*)$ http://sameserver/police.php
  RewriteRule ^/(.*)\/c\/winnt\/(.*)$ http://sameserver/police.php
  RewriteRule ^/(.*)\/d\/winnt\/(.*)$ http://sameserver/police.php
  RewriteRule ^/(.*)\/x90\/(.*)$ http://sameserver/police.php
</IfModule>

sameserver is your server (You could remove that part)
police.php is some scary page :-)

I think this is better since it wouldn't rely on the HTTP client williness to go to the redirect page,
as it happens with a mod_alias sollution.

Of course this could all be useless if the hacko is a worm with no fear! Anyway, it's just a funny
alternative to a decent IDS.

See you,

Yves Junqueira
- Lynx Informatica
www.lynx.com.br


Just be aware that it's actual mod_alias rather than mod_rewrite lines
in that extract, so the first line should be

  <IfModule mod_alias.c>

Of course, it will only break due to the error if you don't have
mod_rewrite loaded.



On Jun 7, 2004, at 11:58 AM, Robert Cates wrote:

Thanks much!

The rewrite solution looks good to me as well, and I'll add to my
config
shortly!

Thanks again,
Robert

Reply via email to