(linux-br) Brazuca Security Focus + Apache Unicodes + Logs Worms

[Ricardo Guedes]

Oi Pessoal,

Pensando em diminuir o log do meu web server Apache achei a seguinte dica:

<IfModule mod_alias.c>
RedirectMatch permanent .*/scripts/root.exe.*
http://www.meudominio.com/pagina.html
RedirectMatch permanent .*/MSADC/root.exe.*
http://www.meudominio.com/pagina.html
RedirectMatch permanent .*system32/cmd.exe.*
http://www.meudominio.com/pagina.html
RedirectMatch permanent .*MSOffice/cltreq.asp.*
http://www.meudominio.com/pagina.html
RedirectMatch permanent .*_vti_bin/owssvr.dll.*
http://www.meudominio.com/pagina.html
RedirectMatch permanent .*_vti_bin/shtml.exe/_vti_rpc.*
http://www.meudominio.com/pagina.html
RedirectMatch permanent .*_vti_inf.html.*
http://www.meudominio.com/pagina.html
</IfModule>

Fiz o que mostra acima e criei a "pagina.html" que � utilizada para
redirecionar em caso da URL encontrada. Restartei o servi�o e esta rodando
perfeitamente... Por�m o access_log ainda registra estas tentativas!

Existe algo eficaz e funcionando, alguns script para usar com o apache, que
tamb�m barre estes ips que fazem as requisi��es usando o iptables?

A mensagem abaixo � apenas algo que rolou na SecurityFocus.com

8<---
We recieved several "code red" style probes for cmd.exe and the like.  The
probes used the typical method of searching for all default IIS +execute
permissioned directories.  However, some of the details of the GET requests,
I haven't seen before today.  Here's an example GET.

http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C
..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSo
corro

I haven't seen requests for a boo.bat.  I also haven't seen this particular
echo command that was common to all of the requests for cmd.exe.  Every one
of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro"

Some new script?  Has anyone else seen these?
8<--------

MinhaNossaSenhoraDoPerpetuoSocorro... N�m � daqui hehehe do Brasil!

Ricardo Guedes



Assinantes em 07/11/2002: 2256
Mensagens recebidas desde 07/01/1999: 189588
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista: 
            mailto:linux-br-owner@;bazar.conectiva.com.br