[TCLUG] [OT] Apache rewrite for MS BS

Tue Aug 10 13:23:33 CDT 2004

On Tue, 10 Aug 2004 13:13:17 -0500
James Kaufman <jmk at kaufman.eden-prairie.mn.us> wrote:

> On Tue, Aug 10, 2004 at 12:43:32PM -0500, Josh Trutwin wrote:
> > Found this little nugget searching for an Apache rewrite rule to
> > stop these annoying 8000 character line log entries for idiots
> > trying to exploit an IIS vulnerability and thought I'd share:
> > 
> > <IfModule mod_rewrite.c>
> >    RedirectMatch permanent (.*)cmd.exe(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)root.exe(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)\/_vti_bin\/(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)\/_mem_bin\/(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)\/msadc\/(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)\/MSADC\/(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)\/c\/winnt\/(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)\/d\/winnt\/(.*)$
> >    http://www.microsoft.com
> >    RedirectMatch permanent (.*)\/x90\/(.*)$
> >    http://www.microsoft.com
> > </IfModule>
> > 
> > Josh
> > 
> 
> Thanks. Looks useful.

I'm actually having some trouble trying to test this on some rules.  I changed it to:

    RedirectMatch permanent .*cmd.exe.*$       http://www.microsoft.com/
    RedirectMatch permanent .*root.exe.*$      http://www.microsoft.com/
    RedirectMatch permanent .*shell.exe.*$     http://www.microsoft.com/
    RedirectMatch permanent .*default.ida.*$   http://www.microsoft.com/
    RedirectMatch permanent .*/_vti_bin/.*$    http://www.microsoft.com/
    RedirectMatch permanent .*/scripts/...*$   http://www.microsoft.com/
    RedirectMatch permanent .*/_mem_bin/.*$    http://www.microsoft.com/
    RedirectMatch permanent .*/_vti_.*$        http://www.microsoft.com/
    RedirectMatch permanent .*/msadc/.*$       http://www.microsoft.com/
    RedirectMatch permanent .*/MSADC/.*$       http://www.microsoft.com/
    RedirectMatch permanent .*/msadcs.dll.*$   http://www.microsoft.com/
    RedirectMatch permanent .*nsiislog.dll.*$  http://www.microsoft.com/
    RedirectMatch permanent .*/c/winnt/.*$     http://www.microsoft.com/
    RedirectMatch permanent .*/d/winnt/.*$     http://www.microsoft.com/
    RedirectMatch permanent .*/x90/.*$         http://www.microsoft.com/

and when I call http://trutwins.homeip.net/default.ida I get redirected to ms.com, but not when I call http://trutwins.homeip.net/cmd.exe

Odd.

Josh

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list