RE: lug-bg: ..cmd.exe problemi
- Subject: RE: lug-bg: ..cmd.exe problemi
- From: bkrosnov@xxxxxxxx (Boyan Krosnov)
- Date: Thu, 20 Sep 2001 13:00:24 +0300
twa sa dwata naj-dobri maila po temata koito uspqh da namerq
> -----Original Message-----
> From: Georgi Chorbadzhiyski [mailto:gf@xxxxxx]
> Sent: Thursday, September 20, 2001 12:26 PM
> To: lug-bg@xxxxxxxxxxxxxxxxxx
> Subject: Re: lug-bg: ..cmd.exe problemi
>
>
> <LocationMatch "*cmd.exe*">
> order deny, allow
> deny from all
> </LocationMatch>
>
> Samo che pak ste go logva i osven tova, ne hvashta neshta ot sorta na
> http://boza/shit?..%c0%af../cmd.exe?/c+dir
>
> mod_rewrite shte ti svarshi rabota
>
> sega se seshtam mnogo grozen nachin da ne vliza v logovete requesta,
> obache e _mnogo grozen_ i _mnogo insecure_ (wseki request
> koito wklichva
> cmd.exe niama da byde lognat - hello brute forcing :)
>
> AccessLog "|/usr/bin/grep -v cmd.exe > /var/log/access.log"
> ErrorLog "|/usr/bin/grep -v cmd.exe > /var/log/error.log"
>
> Mozhe i da ne sraboti :)
>
> Vasko Tomanov wrote:
> > niakoi ima li ideia kak da si pasthna apacha da ignorira
> napalno zaiavki
> > ot vida na ..........cmd.exe
> ==============================================================
> =============
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd.
> - Stara Zagora
>
<STRONG>attached mail follows:</STRONG><HR><P><P>
Here is what I did and it might be useful to others
RewriteCond %{THE_REQUEST} /scripts/
RewriteRule ^.*$ - [G,L]
RewriteCond %{THE_REQUEST} default.ida
RewriteRule ^.*$ - [G,L]
RewriteCond %{THE_REQUEST} cmd.exe
RewriteRule ^.*$ - [G,L]
RewriteCond %{THE_REQUEST} root.exe
RewriteRule ^.*$ - [G,L]
Yes im sure there is a cleaner way..
and then
ErrorDocument 410 "
So what this does is, all the Nimda stuff goes 410 and 410 has zero
bytes.
My web stats see all the Nimda stuff as errors
Nimda sees every request as failed and doesn't attempt further stuff
with each request as it does with the previous mentioned AliasMatch
method.
Im no expert but this seems to work well..
I sure don't use the 410 (Gone permentlly) default message anywhere, ive
never even seen it ever while on the net.
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
<STRONG>attached mail follows:</STRONG><HR><P><P>
AliasMatch ^/scripts(.*) "/www/bogus/index.html"
AliasMatch ^/.*(ida|htr|idc|htw) "/www/bogus/index.html"
Replace the second argument with the path to a zero-length index file
(e.g.
touch /www/bogus/index.html).
Just give you an idea of the savings:
With the "mitigation" configuration:
172.16.89.153 - - [19/Sep/2001:17:36:17 +0600] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 200 0
So, it transfers 0 bytes
Now without the "mitigation" config:
172.16.89.153 - - [19/Sep/2001:17:38:06 +0600] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 321
It transfers 321 bytes.
The above was tested with the standard Apache "404" error.
Now, on 15 production apache servers there are 6100 entries on the
average
per server, 91500 entries. With a 908 byte custom error document on our
production servers, that's 83MB. of data. This starting sample date is
Sunday. Note that this with 1 ip address per server. The usage should
increase linearly as you add virtual IPs. Now, I am not taking into
account the additional packet overhead which in accounting terms is a
fixed
cost and would likewise apply to the "mitigation" configuration.
John Coke
PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846
PGP key ID 0x8F45E846 (pgp.mit.edu)
> -----Original Message-----
> From: George Milliken [mailto:gmilliken@xxxxxxxxx]
> Sent: Wednesday, September 19, 2001 8:59 AM
> To: Incidents@xxxxxxxxxxxxxxxxx
> Subject: RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis
> update
>
>
> Maybe something like a rewrite rule
>
> RewriteEngine On
> RewriteRule ^.*/cmd.exe.* [FL]
> RewriteRule ^.*/root.exe.* [FL]
>
> This will send "forbidden" to systems trying those URLs and will stop
> rewrite processing.
>
>
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|