Re: [expert] layer 7 application layer filtering.
On Thu, 2002-11-07 at 02:40, Franki wrote: > Hi guys, > > I am sick to death of my error_log for http being full of cmd.exe and > root.exe stuff.. > > it makes it much harder to find useful stuff in the logs as a result.. (if > you are not sure what you are looking for at the time.) > > is there any linux app that can do the same as CheckPoint, > ie filter out and requests on port 80 containing default.ida, default.idq, > root.exe and cmd.exe??? > > its a linux box, so its not effected by any of that, but I am sick of the > non stop scans... > > my logs are always 90% full of this crap. > > anyone got any ideas??? > http://www.monkeynoodle.org/lrp/deworming.html -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] layer 7 application layer filtering.
Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > I am sick to death of my error_log for http being full of cmd.exe and > root.exe stuff.. > my logs are always 90% full of this crap. > anyone got any ideas??? In your /etc/httpd/conf/commonhttpd.conf file, put this: redirect /MSADC http://www.microsoft.com redirect /c http://www.microsoft.com redirect /d http://www.microsoft.com redirect /_mem_bin http://www.microsoft.com redirect /msadc http://www.microsoft.com RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 Blue skies... Todd -- MandrakeSoft USA http://www.mandrakesoft.com Mandrake: An amalgam of good ideas from RedHat, Debian, and MandrakeSoft. All in all, IMHO, an unbeatable combination. --Levi Ramsey on Cooker ML Cooker Version mandrake-release-9.1-0.1mdk Kernel 2.4.19-18mdkenterprise msg60696/pgp0.pgp Description: PGP signature
Re: [expert] layer 7 application layer filtering.
Todd Lyons wrote: > > Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. > > my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > > > Blue skies... Todd > -- Todd, Your cunning is only exceeded by your experience. I must say that I simply love this fix... Dr John The Night Tripper Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] layer 7 application layer filtering.
On Thu, 7 Nov 2002, Todd Lyons wrote: > Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. > > my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > > :D We had a similar thread on our local Linux group at: http://www.flux.org/pipermail/linux/2001-September/005505.html Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] layer 7 application layer filtering.
Thanks guys, I like the idea of redirecting them back to microsoft... rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:todd@;mandrakesoft.com]On Behalf Of Todd Lyons Sent: Friday, 8 November 2002 3:46 AM To: [EMAIL PROTECTED] Subject: Re: [expert] layer 7 application layer filtering. Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > I am sick to death of my error_log for http being full of cmd.exe and > root.exe stuff.. > my logs are always 90% full of this crap. > anyone got any ideas??? In your /etc/httpd/conf/commonhttpd.conf file, put this: redirect /MSADC http://www.microsoft.com redirect /c http://www.microsoft.com redirect /d http://www.microsoft.com redirect /_mem_bin http://www.microsoft.com redirect /msadc http://www.microsoft.com RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 Blue skies... Todd -- MandrakeSoft USA http://www.mandrakesoft.com Mandrake: An amalgam of good ideas from RedHat, Debian, and MandrakeSoft. All in all, IMHO, an unbeatable combination. --Levi Ramsey on Cooker ML Cooker Version mandrake-release-9.1-0.1mdk Kernel 2.4.19-18mdkenterprise Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] layer 7 application layer filtering.
yeah, Todd, should make that part of the default mdk apache... I found a few different ways to achieve this sort of thing by talking to people, and reading the several posts from your guys... Most do something like this... but in a way.. if Mandake did this by default, they might be a legal target because they would just have facilitated a dos attack on M$ gotta remember to add some codered code to that... would this be right? redirect /default.id* http://www.microsoft.com rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:root@;cwoods.dal.adg.verizon.net]On Behalf Of Craig Woods Sent: Friday, 8 November 2002 5:06 AM To: [EMAIL PROTECTED] Subject: Re: [expert] layer 7 application layer filtering. Todd Lyons wrote: > > Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. > > my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > > > Blue skies... Todd > -- Todd, Your cunning is only exceeded by your experience. I must say that I simply love this fix... Dr John The Night Tripper Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] layer 7 application layer filtering.
On Thu, 7 Nov 2002 11:46:19 -0800 Todd Lyons <[EMAIL PROTECTED]> wrote: > Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. > > my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > Todd, >From analyzing my logs, it appears that this could be greatly simplified: RedirectMatch (.*\.exe\?) http://www.microsoft.com$1 since all attempts contain ".exe?" -- and this would allow a site to continue serving *.exe files without redirecting all those to M$... Besides, shouldn't "\cmd.exe" really be "cmd\.exe"? Also, correct me if I'm wrong; but don't we want the *entire* path to be appended to the M$ URL...? :> Considering that my self-defense argument has been posted (http://pfortin.com/Linux/MSVTS) for over a year, I think it's time I took it another step closer to the ROOT CAUSE (M$Windows)... :^) Pierre > Blue skies... Todd Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] layer 7 application layer filtering.
It is a pain to Microshaft, but I favor the other strategy of actually doing something that will slow down virus traffic: http://www.hackbusters.net/LaBrea/ But I agree, if you don't have a spare IP address, let M$.com deal with it. Miark On Fri, 8 Nov 2002 05:22:06 +0800 "Franki" <[EMAIL PROTECTED]> wrote: > Thanks guys, > > I like the idea of redirecting them back to microsoft... > > rgds > > Frank > > -Original Message- > From: [EMAIL PROTECTED] [mailto:todd@;mandrakesoft.com]On Behalf Of > Todd Lyons > Sent: Friday, 8 November 2002 3:46 AM > To: [EMAIL PROTECTED] > Subject: Re: [expert] layer 7 application layer filtering. > > > Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. > > my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > > > Blue skies... Todd > -- >MandrakeSoft USA http://www.mandrakesoft.com > Mandrake: An amalgam of good ideas from RedHat, Debian, and MandrakeSoft. > All in all, IMHO, an unbeatable combination. --Levi Ramsey on Cooker ML >Cooker Version mandrake-release-9.1-0.1mdk Kernel 2.4.19-18mdkenterprise > > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] layer 7 application layer filtering.
Todd Lyons grabbed a keyboard and wrote: > > Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > That's sneaky. That's evil. That's s appropos. I like it, I've added it. Thanks! :-) To me, it only makes sense that since Microsoft's bad design and lazy security concerns are causing all this traffic due to the script kiddies looking for vunerable machines to exploit, that they deal with that traffic themselves. --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] layer 7 application layer filtering.
Todd Lyons grabbed a keyboard and wrote: > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > Hey Todd, I made a slight change to the RedirectMatch clause, so that the redirects now look like this: redirect /MSADC http://www.microsoft.com redirect /c http://www.microsoft.com redirect /d http://www.microsoft.com redirect /_mem_bin http://www.microsoft.com redirect /msadc http://www.microsoft.com RedirectMatch (.*)\(cmd|root).exe$ http://www.microsoft.com$1 RedirectMatch ^.*\.(dll|ida).* http://www.microsoft.com$1 Do you see anything on those last two lines that look like it won't work, will confuse something at my end, etc.? It looks to me like it should work, but a second set of eyes is always handy when doing something like this... :-) Also, is there any reason to not change redirect line 4 to use /(_mem_bin|_vti_bin) instead of just /_mem_bin like it does now? I.E., are there any *ligitimate* direct calls to that directory, or is it only going to be called when an infected system is trying to find another system to infect? (I presume the line would have to be changed from "redirect" to "RedirectMatch".) --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
MSVTS [was: Re: [expert] layer 7 application layer filtering.]
On Thu, 7 Nov 2002 11:46:19 -0800 Todd Lyons <[EMAIL PROTECTED]> wrote: > Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. > > my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > > > Blue skies... Todd Hi Todd, Thanks for the suggestion... I've added the following to my web page at http://new.pfortin.com/Linux/MSVTS/ -- any suggestions for improving the message are welcome... as stated at the bottom of most of my web pages, the information is covered by the GnuFDL; so have at it... :^) I'm monitoring my logs and sniffing the http traffic to make sure this works (still waiting -- I have a lot of DROP entries in my iptables)... if not, I'll update the info. Thanks, Pierre Update -- 11/08/2002 After some tips from the Mandrake Expert list, and some analysis of my logs, I've made a change to my web server configuration: RedirectMatch (.*\.exe.*) http://www.microsoft.com$1 Simply put: this change redirects any URL request containing .exe to the web site of the company that provides the platforms on which these viruses and trojans thrive. For over a year, I've referred to the Micro$oft Windows operating system as a Virus Transport System on my pages. I also posted a warning that I would act in self-defense against any attacks on my systems. As seen below, I have implemented automated procedures which attempted to notify the owners of the infected systems. Thousands of e-mails were injected into infected systems (probably unread since Windows is not a multi-user system and the owners are not setup to check for mail on their own machines), and many more thousands were rejected by other infected systems. Now, rather than try to get the individual machine owners to fix their infected hosts, I am now taking my battle to the root cause of these attacks: Microsoft! I do not, and will never serve .exe pages/files; so there is no valid reason for such URLs to hit my servers. Any that do, can only be considered attacks on my machines by Microsoft platforms (or Microsoft Virus Transport System inspired platforms). Therefore, all future attempts will be redirected to the platform provider. My servers are now configured to redirect all attacks where the URL contains .exe to Microsoft, since my servers are totally M$-free. Now that Microsoft has changed its licensing to further ensure that their software is considered more of a loan, it makes even more sense to redirect attacks to the owner of the software platform. If it became possible to identify the hardware platform during these attacks, I would also redirect the attacks to the appropriate hardware vendor. It is interesting to note that a Google search for "microsoft virus transport system" returns over 40,000 hits and the very first one contains a pointer to one of my web sites. Searching for "micro$oft virus transport system" yields over 700 hits; mine is first again. So my claims of self-defense are no secret. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: MSVTS [was: Re: [expert] layer 7 application layer filtering.]
I have put this in mine... much the same, but hopefully does more. RedirectMatch ^.*\.(exe|dll|ida|idq).* http://www.microsoft.com/root.exe It works, if I go to my website in a browser and request any file that ends in .exe, .ida, .idq, or dll, it redirect immediately to the M$ site.. thats good enough for me.. obviously if I ever put an exe up for download, I'll have to be more explicite, but for now, it works great... I put root.exe on the end of the url, because I want it to show up on their logs as something other then a page hit, and $1 was just adding exe to the end.. ie it was redirecting to www.microsoft.comexe which is not going to go anywhere... any ideas on how to pass the exact string that was requested onto the end of the M$ url??? rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:expert-owner@;linux-mandrake.com]On Behalf Of Pierre Fortin Sent: Saturday, 9 November 2002 11:21 PM To: [EMAIL PROTECTED] Subject: MSVTS [was: Re: [expert] layer 7 application layer filtering.] On Thu, 7 Nov 2002 11:46:19 -0800 Todd Lyons <[EMAIL PROTECTED]> wrote: > Franki wrote on Thu, Nov 07, 2002 at 06:40:45PM +0800 : > > > > I am sick to death of my error_log for http being full of cmd.exe and > > root.exe stuff.. > > my logs are always 90% full of this crap. > > anyone got any ideas??? > > In your /etc/httpd/conf/commonhttpd.conf file, put this: > > > redirect /MSADC http://www.microsoft.com > redirect /c http://www.microsoft.com > redirect /d http://www.microsoft.com > redirect /_mem_bin http://www.microsoft.com > redirect /msadc http://www.microsoft.com > RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1 > > > Blue skies... Todd Hi Todd, Thanks for the suggestion... I've added the following to my web page at http://new.pfortin.com/Linux/MSVTS/ -- any suggestions for improving the message are welcome... as stated at the bottom of most of my web pages, the information is covered by the GnuFDL; so have at it... :^) I'm monitoring my logs and sniffing the http traffic to make sure this works (still waiting -- I have a lot of DROP entries in my iptables)... if not, I'll update the info. Thanks, Pierre Update -- 11/08/2002 After some tips from the Mandrake Expert list, and some analysis of my logs, I've made a change to my web server configuration: RedirectMatch (.*\.exe.*) http://www.microsoft.com$1 Simply put: this change redirects any URL request containing .exe to the web site of the company that provides the platforms on which these viruses and trojans thrive. For over a year, I've referred to the Micro$oft Windows operating system as a Virus Transport System on my pages. I also posted a warning that I would act in self-defense against any attacks on my systems. As seen below, I have implemented automated procedures which attempted to notify the owners of the infected systems. Thousands of e-mails were injected into infected systems (probably unread since Windows is not a multi-user system and the owners are not setup to check for mail on their own machines), and many more thousands were rejected by other infected systems. Now, rather than try to get the individual machine owners to fix their infected hosts, I am now taking my battle to the root cause of these attacks: Microsoft! I do not, and will never serve .exe pages/files; so there is no valid reason for such URLs to hit my servers. Any that do, can only be considered attacks on my machines by Microsoft platforms (or Microsoft Virus Transport System inspired platforms). Therefore, all future attempts will be redirected to the platform provider. My servers are now configured to redirect all attacks where the URL contains .exe to Microsoft, since my servers are totally M$-free. Now that Microsoft has changed its licensing to further ensure that their software is considered more of a loan, it makes even more sense to redirect attacks to the owner of the software platform. If it became possible to identify the hardware platform during these attacks, I would also redirect the attacks to the appropriate hardware vendor. It is interesting to note that a Google search for "microsoft virus transport system" returns over 40,000 hits and the very first one contains a pointer to one of my web sites. Searching for "micro$oft virus transport system" yields over 700 hits; mine is first again. So my claims of self-defense are no secret. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: MSVTS [was: Re: [expert] layer 7 application layer filtering.]
Franki wrote on Sun, Nov 10, 2002 at 08:30:30PM +0800 :
>
>
> RedirectMatch ^.*\.(exe|dll|ida|idq).* http://www.microsoft.com/root.exe
>
> I put root.exe on the end of the url, because I want it to show up on their
> logs as something other then a page hit, and $1 was just adding exe to the
> end..
> ie it was redirecting to www.microsoft.comexe
> any ideas on how to pass the exact string that was requested onto the end of
> the M$ url???
What's getting you is called "regular expressions" aka regexp aka regex.
The value of $1 is whatever matches what is in the (). You are
literally telling it to set $1 to exe or dll or ida or idq. Try this:
RedirectMatch ^http://[^/]+(.*\.{exe|dll|ida|idq}.*)$ http://www.microsoft.com/root.exe
The first ^ means beginning of line (or beginning of string in this
case).
The "http://"; literally matches the string "http://";.
The [^/]+ means 1 or more characters that are not a /. This should
match the hostname portion (which we don't care about).
The next part is where the magic happens. Everything that matches
inside parenthesis will be assigned to $1. Let me go through the bits
one by one:
.* Match everything. By definition, it will match
as much as it can and stop when the following rules
match. Assuming "greedy" mode. If you have to
ask, go buy the "Mastering Regular Expressions"
book by O'Reilly.
\. Match a literal ".". Have to escape it because
the . is also a wildcard that matches any char.
{exe|dll|ida|idq}Match any of those 4 letter sequences. This and
the previous rule match any ".exe" or ".dll" (etc)
sequence within the URL. The initial ".*" matches
all characters before that starting with the first
"/" character (since the http://[^/]+ matched
everything up to but not including the leading /).
.* Anything else is matched, such as ?user=500.
$End of line (or end of string in this case).
Let me know how this works. It is completely untested and it may just
break your apache logging. Test it first.
Blue skies... Todd
--
Never take no as an answer from someone who's not authorized to say yes.
--Ben Reser on Cooker ML
Cooker Version mandrake-release-9.1-0.1mdk Kernel 2.4.19-18mdkenterprise
msg60832/pgp0.pgp
Description: PGP signature
