twa sa dwata naj-dobri maila po temata koito uspqh da namerq > -----Original Message----- > From: Georgi Chorbadzhiyski [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 20, 2001 12:26 PM > To: [EMAIL PROTECTED] > Subject: Re: lug-bg: ..cmd.exe problemi > > > <LocationMatch "*cmd.exe*"> > order deny, allow > deny from all > </LocationMatch> > > Samo che pak ste go logva i osven tova, ne hvashta neshta ot sorta na > http://boza/shit?..%c0%af../cmd.exe?/c+dir > > mod_rewrite shte ti svarshi rabota > > sega se seshtam mnogo grozen nachin da ne vliza v logovete requesta, > obache e _mnogo grozen_ i _mnogo insecure_ (wseki request > koito wklichva > cmd.exe niama da byde lognat - hello brute forcing :) > > AccessLog "|/usr/bin/grep -v cmd.exe > /var/log/access.log" > ErrorLog "|/usr/bin/grep -v cmd.exe > /var/log/error.log" > > Mozhe i da ne sraboti :) > > Vasko Tomanov wrote: > > niakoi ima li ideia kak da si pasthna apacha da ignorira > napalno zaiavki > > ot vida na ..........cmd.exe > ============================================================== > ============= > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. > - Stara Zagora >
So I am no serious Apache or Unix hack, however I was playing with RewriteRules to: 1) relieve server load on my personal server 2) NOT add to the load in access_log 3) keep my access_log from showing any of the Nimda as 200 and being included in my stats Here is what I did and it might be useful to others RewriteCond %{THE_REQUEST} /scripts/ RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} default.ida RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} cmd.exe RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} root.exe RewriteRule ^.*$ - [G,L] Yes im sure there is a cleaner way.. and then ErrorDocument 410 " So what this does is, all the Nimda stuff goes 410 and 410 has zero bytes. My web stats see all the Nimda stuff as errors Nimda sees every request as failed and doesn't attempt further stuff with each request as it does with the previous mentioned AliasMatch method. Im no expert but this seems to work well.. I sure don't use the 410 (Gone permentlly) default message anywhere, ive never even seen it ever while on the net. ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Distributing the 404/403 error takes connections and bandwidth. Adding the following configuration to Apache will reduce the impact on the servers. I have been doing this for some time on the production servers that I manage. AliasMatch ^/scripts(.*) "/www/bogus/index.html" AliasMatch ^/.*(ida|htr|idc|htw) "/www/bogus/index.html" Replace the second argument with the path to a zero-length index file (e.g. touch /www/bogus/index.html). Just give you an idea of the savings: With the "mitigation" configuration: 172.16.89.153 - - [19/Sep/2001:17:36:17 +0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 200 0 So, it transfers 0 bytes Now without the "mitigation" config: 172.16.89.153 - - [19/Sep/2001:17:38:06 +0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 321 It transfers 321 bytes. The above was tested with the standard Apache "404" error. Now, on 15 production apache servers there are 6100 entries on the average per server, 91500 entries. With a 908 byte custom error document on our production servers, that's 83MB. of data. This starting sample date is Sunday. Note that this with 1 ip address per server. The usage should increase linearly as you add virtual IPs. Now, I am not taking into account the additional packet overhead which in accounting terms is a fixed cost and would likewise apply to the "mitigation" configuration. John Coke PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846 PGP key ID 0x8F45E846 (pgp.mit.edu) > -----Original Message----- > From: George Milliken [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 19, 2001 8:59 AM > To: [EMAIL PROTECTED] > Subject: RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis > update > > > Maybe something like a rewrite rule > > RewriteEngine On > RewriteRule ^.*/cmd.exe.* [FL] > RewriteRule ^.*/root.exe.* [FL] > > This will send "forbidden" to systems trying those URLs and will stop > rewrite processing. > > ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com