GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c
Sergio Morilla 27 June 2002 18:21:44
Hi,
IВґve used Apache::CodeRed to get rid of nimda attaks. Now I have a good number of entries like this on my error log and some interesting variations on this.
I was wondering if there is a way to use LocationMatch or FilesMatch or may be some other directive to direct all urls containing cmd.exe (non existent on linux) to a cgi handler.
I'm not very good at REs so may be I'm just failing to set the directives properly.
Any hints???
Thanks
Sergio D. Morilla Sistemas
Tipoiti SATIC San MartГn 647 Piso 2 Tel. : +54 11 4314-4482 C1004AAM - Buenos Aires Fax : +54 11 4508-6425 Argentina e-mail smorilla@tipoiti.com
The problem is that a cgi handler runs as the apache user, so it can't do much but log the errors too. However, you can run something from cron that parses the error_logs and adds offending ips (based on whatever you want) to your firewall rules. Ken
Sergio Morilla wrote:> Hi,>
IВґve used Apache::CodeRed to get rid of nimda attaks.> Now I have a good number of entries like this on my> error log and some interesting variations on this.>
I was wondering if there is a way to use LocationMatch> or FilesMatch or may be some other directive to direct> all urls containing cmd.exe (non existent on linux) to> a cgi handler.>
I'm not very good at REs so may be I'm just failing to> set the directives properly.>
Any hints???>
Thanks>
Sergio D. Morilla> Sistemas>
Tipoiti SATIC> San MartГn 647 Piso 2 Tel. : +54 11 4314-4482> C1004AAM - Buenos Aires Fax : +54 11 4508-6425> Argentina e-mail smorilla@tipoiti.com >
---------------------------------------------------------------------> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org> For additional commands, e-mail: users-help@httpd.apache.org>
May try the Redirect directive in this configuration to redirect to a CGI program.
You can also use mod_rewrite to accomplish your task.
--Jeff
On Thu, 27 Jun 2002, Sergio Morilla wrote:
Hi,>
IВґve used Apache::CodeRed to get rid of nimda attaks.> Now I have a good number of entries like this on my> error log and some interesting variations on this.>
I was wondering if there is a way to use LocationMatch> or FilesMatch or may be some other directive to direct> all urls containing cmd.exe (non existent on linux) to> a cgi handler.>
I'm not very good at REs so may be I'm just failing to> set the directives properly.>
Any hints???>
Thanks>
Sergio D. Morilla> Sistemas>
Tipoiti SATIC> San MartГn 647 Piso 2 Tel. : +54 11 4314-4482> C1004AAM - Buenos Aires Fax : +54 11 4508-6425> Argentina e-mail smorilla@tipoiti.com>
---------------------------------------------------------------------> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org> For additional commands, e-mail: users-help@httpd.apache.org>
-- Jeff Beard | Systems Architect, Programmer, Sysadmin Contact | jeff at cyberxape dot com Location | In front of the computer, Boulder, CO, USA
-----Mensaje original-----> De: Jeff Beard [mailto:jeff@cyberxape.com]> Enviado el: Thursday, June 27, 2002 13:00> Para: users@httpd.apache.org> Asunto: Re: GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c>
If you're already using mod_perl why do you want to> use forking CGI? I'd just modify Apache::CodeRed> to do what you want.>
Note sure exactly how you'd use FilesMatch for forking> CGI. I'd use a mod_perl handler like this:>
May try the Redirect directive in this configuration> to redirect to a CGI program.>
You can also use mod_rewrite to accomplish your> task.>
--Jeff>
On Thu, 27 Jun 2002, Sergio Morilla wrote:>
Hi,> >
IВґve used Apache::CodeRed to get rid of nimda attaks.> > Now I have a good number of entries like this on my> > error log and some interesting variations on this.> >
I was wondering if there is a way to use LocationMatch> > or FilesMatch or may be some other directive to direct> > all urls containing cmd.exe (non existent on linux) to> > a cgi handler.> >
I'm not very good at REs so may be I'm just failing to> > set the directives properly.> >
Any hints???> >
Thanks> >
Sergio D. Morilla> > Sistemas> >
Tipoiti SATIC> > San MartГn 647 Piso 2 Tel. : +54 11 4314-4482> > C1004AAM - Buenos Aires Fax : +54 11 4508-6425> > Argentina e-mail smorilla@tipoiti.com> >
---------------------------------------------------------------------> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org> > For additional commands, e-mail: users-help@httpd.apache.org> >
--> Jeff Beard | Systems Architect, Programmer, Sysadmin> Contact | jeff at cyberxape dot com> Location | In front of the computer, Boulder, CO, USA>
---------------------------------------------------------------------> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org> For additional commands, e-mail: users-help@httpd.apache.org>
If you would like to report an abuse of our service, such as a spam message, please . Если Вы хотите пожаловаться на содержимое этой страницы, пожалуйста .
![]:-)](http://qaix.com/i/smiles/devil.png "]:-)"){kind=small}
