Apache: Deflecting Hackerz

[TommyWillB]

I guess I was not really suprised to see a ton of request in my Apache logs that appear to be attempts at WinDoze IIS exploits:

/c/winnt/system32/cmd.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
	
/scripts/..%../winnt/system32/cmd.exe
/scripts/..%2f../winnt/system32/cmd.exe
/scripts/..%5c%5c../winnt/system32/cmd.exe
/scripts/..%5c../winnt/system32/cmd.exe
/scripts/..¡¿../winnt/system32/cmd.exe
/scripts/..¡ú../winnt/system32/cmd.exe
/scripts/..¿Ø../winnt/system32/cmd.exe

I know these probably will not do any harm, but I nontheless managed (as a learning excercise) to get Apache to redirect all of them excepf the first two. Here is what I did:

RedirectMatch permanent (.*)cmd.exe$ [url]http://www.nohackerz.com/[/url]
RedirectMatch permanent (.*)root.exe$ [url]http://www.nohackerz.com/[/url]
RedirectMatch permanent /scripts(.*) [url]http://www.nohackerz.com/[/url]

There seems to be something very odd that confuses Apache when the URL contains either "..%.." or "..%2f..".

What is the trick to redirect these?

 

[gatorparrots]

Here's a good solution:
Change this line in /etc/httpd/httpd.conf:
Port 80
to
Port 8000

This is good for getting you off the Code Red radar, as long as you don't mind having to give our your url in this form:
http://www.somedomain.com:8000/

 

[TommyWillB]

Actually it turned out that stupid Interent Explorere was caching the pre-redirect page.

(Yes I tried Shift + Reload and have the chache setting to reload "Always"...)

Grrrrrrr, I hate IE sometimes!!!



Thanks gatorparrots, but the goal is for this to become a public web site after a little while, so using something other than port 80 would not work...