On Fri, 13 Aug 2004 09:16:02 -0500 Chad Walstrom <chewie at wookimus.net> wrote: > Cute PHP script. You know, this isn't exactly OT. ;-) Anyway, > since putting in log filtering, I've only seen 10 attempts on our > machine. :-/ Not really exciting. ;-) I'm waiting for another x90, seems more common in the evening hours. If that one gets caught too then I'm gonna move this onto a couple other boxes. I'm sure none of these "LUS3R5" will ever see the results of that script, but it's kinda funny anyway. From this exercise I currently am testing the following set of rules (apologies for any line breaks): SetEnvIf Request_URI "(.*)command.com(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)COMMAND.COM(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)command.exe(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)COMMAND.EXE(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)default.ida(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)DEFAULT.IDA(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)cmd.exe(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)CMD.EXE(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)root.exe(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)ROOT.EXE(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)shell.exe(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)SHELL.EXE(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]_vti_bin[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]_VTI_BIN[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]winnt[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]WINNT[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]scripts[\\|\/]\.\.(.*)$ " exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]_mem_bin[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]_MEM_BIN[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]msadc[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]MSADC[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]x90[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)[\\|\/]X90[\\|\/](.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*).dll(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*).DLL(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)system32(.*)$" exploit=1 nolog SetEnvIf Request_URI "(.*)SYSTEM32(.*)$" exploit=1 nolog RedirectMatch permanent (.*)command.com(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=command.com" RedirectMatch permanent (.*)COMMAND.COM(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=command.com" RedirectMatch permanent (.*)command.exe(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=command.exe" RedirectMatch permanent (.*)COMMAND.EXE(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=command.exe" RedirectMatch permanent (.*)default.ida(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=default.ida" RedirectMatch permanent (.*)DEFAULT.IDA(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=default.ida" RedirectMatch permanent (.*)cmd.exe(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=cmd.exe" RedirectMatch permanent (.*)CMD.EXE(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=cmd.exe" RedirectMatch permanent (.*)root.exe(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=root.exe" RedirectMatch permanent (.*)ROOT.EXE(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=root.exe" RedirectMatch permanent (.*)shell.exe(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=shell.exe" RedirectMatch permanent (.*)SHELL.EXE(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=shell.exe" RedirectMatch permanent (.*)[\\|\/]_vti_bin[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=vtibin" RedirectMatch permanent (.*)[\\|\/]_VTI_BIN[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=vtibin" RedirectMatch permanent (.*)[\\|\/]winnt[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=winnt" RedirectMatch permanent (.*)[\\|\/]WINNT[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=winnt" RedirectMatch permanent (.*)[\\|\/]scripts[\\|\/]\.\.(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=scripts" RedirectMatch permanent (.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=scripts" RedirectMatch permanent (.*)[\\|\/]_mem_bin[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=membin" RedirectMatch permanent (.*)[\\|\/]_MEM_BIN[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=membin" RedirectMatch permanent (.*)[\\|\/]msadc[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=msadc" RedirectMatch permanent (.*)[\\|\/]MSADC[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=msadc" RedirectMatch permanent (.*)[\\|\/]x90[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=webdav+attack" RedirectMatch permanent (.*)[\\|\/]X90[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=webdav+attack" RedirectMatch permanent (.*).dll(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=some+dll" RedirectMatch permanent (.*).DLL(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=some+dll" RedirectMatch permanent (.*)system32(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=some+system32" RedirectMatch permanent (.*)SYSTEM32(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=some+system32" SetEnvIf Remote_Addr ^(127\.0\.0\.1|192\.168\.0\.) localreq nolog CustomLog /var/log/apache/trutwins.homeip.net/access_log combined env=!nolog CustomLog /var/log/apache/trutwins.homeip.net/attack_log combined env=exploit CustomLog /var/log/apache/trutwins.homeip.net/local_access_log combined env=localreq Josh _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list