Hey, just a quick note to let you know there IS a company that makes a nice url rewrite engine for IIS.
http://www.isapirewrite.com/ Ok, true, it's an add on, so is mod_rewrite. Also, true, it requires that you restart the Windows OS (you only have to restart the apache daemon when you recompile apache for mod_rewrite). However, this product will do the same thing that apache's mod_rewrite will do. The Lite version is free. NOT GPL free, true. Not included in every version of IIS, true. But the important thing is that IIS folk can do the same stuff that you can do with apache, and that's the end goal here, I believe. Check the FAQ and the documentation please, there's lots of examples on how to write regex stuff for this type of issue. I don't work for this company, but it's a nice little tool that I've used in the past when inserted into microsoft sites... YMMV of course. S�amus Hartmann CCNA, CISSP Senior Network Engineer Fuji Film, eSystems (585) 340-4200 -----Original Message----- From: Lorenzo Hernandez Garcia-Hierro [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 1:43 PM To: Full-Disclosure; Tiago Halm Subject: Re: [Full-Disclosure] HTTP request with SMTP message Hi Tiago, This is the same abuse that normally affects Apache ( With Apache you can use mod_rewrite to redirect this type of abuse to another url ) This is the proof that open source is better :) In IIS you can set some rules ,or use urlscan , etc . Try to install a IDS in front of the webserver and filter the requests to HTTP that contain the headers of a SMTP transfer. ___snippet of mod_rewrite for apache :)____ If you want to use Apache instead of IIS : :) its better of course ! RewriteEngine on RewriteLog "/[log dir]/fsckers-smtp-t-http.log" RewriteLogLevel 1 RewritCond %{THE_REQUEST} CONNECT.* RewriteRule /$ /youfuckerspammer.html [L] why this ? Because attackers normally use a netcat connection to dump the smtp relay information for trabsfer emails , etc : [EMAIL PROTECTED] /home/trulux:$ netcat www.pooradmintothehell.foo 80 CONNECT smtp.mail.yahoo.com:25 HTTP/1.0 and the webserver receive the CONNECT line , with mod_rewrite this request will not work. If you want to see who is trying this simply check for apache log entries like this: 127.0.0.1 - - [[date]] "CONNECT smtp.mail.yahoo.com:25 HTTP /1.0" 200 203 "-" "-" ___/snippet___ I hope this post will help you a little to take the correct way for portect your webserver :) Best regards to all FD, ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->\x74\x72\x75\x6c\x75\x78 0x02->The truth is out there, 0x03-> outside your mind . __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** \x6e\x73\x72\x67 \x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68 http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "Tiago Halm" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 24, 2003 5:25 PM Subject: [Full-Disclosure] HTTP request with SMTP message > It's not the first time, but I gave up trying to figure it out. My IIS > (port 80) received this HTTP request from x.x.x.x. > > Any thoughts ? > > ---------------------------------------------------------------------- > ---- -- > ---------- > POST http://x.x.x.x:25/ HTTP/1.1 > Content-type: application/octet-stream > Content-length: 540 > Host: x.x.x.x > > HELO ps.com > MAIL FROM:<[EMAIL PROTECTED]> > RCPT TO: <[EMAIL PROTECTED]> > DATA > Message-ID: > <[EMAIL PROTECTED] > m> > To: <[EMAIL PROTECTED]> > From:[EMAIL PROTECTED] > Subject: no doubt homie > Date: Sat, 22 Nov 2003 10:06:34 -0800 > MIME-Version: 1.0 > Content-Type: text/plain; > charset="Windows-1252" > Content-Transfer-Encoding: 7bit > X-Mailer: Microsoft Outlook Express 5.00.3018.1300 > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 > > Message Body > . > QUIT > ---------------------------------------------------------------------- > ---- -- > ---------- > > Tiago Halm > http://www.kodeit.org > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
