[TCLUG] [OT] Apache rewrite for MS BS

Wed Aug 11 09:18:07 CDT 2004

On Tue, 10 Aug 2004 23:22:47 -0500
Tom Marble <tmarble at info9.net> wrote:

>     # redirect M$ IIS probes
>     RedirectMatch permanent ^/default.ida http://www.microsoft.com/
>     RedirectMatch permanent ^/_vti_bin    http://www.microsoft.com/
>     RedirectMatch permanent ^/_mem_bin    http://www.microsoft.com/
>     RedirectMatch permanent ^/scripts     http://www.microsoft.com/
>     RedirectMatch permanent ^/msadc       http://www.microsoft.com/
>     RedirectMatch permanent ^/MSADC       http://www.microsoft.com/
>     RedirectMatch permanent ^/\x90        http://www.microsoft.com/
>     # send them to bill
>     # RedirectMatch permanent \.exe       http://www.microsoft.com/
>     # send their message to bill
>     RedirectMatch permanent (.*\.exe.*)   http://www.microsoft.com$1

I wound up using this set of rules:

RedirectMatch (.*)cmd\.exe(.*)$    http://support.microsoft.com
RedirectMatch (.*)root\.exe(.*)$   http://support.microsoft.com
RedirectMatch (.*)shell\.exe(.*)$  http://support.microsoft.com
RedirectMatch (.*)\.dll(.*)$       http://support.microsoft.com
RedirectMatch (.*)default\.ida(.*) http://support.microsoft.com
RedirectMatch (.*)system32(.*)$    http://support.microsoft.com
RedirectMatch (.*)_vti_(.*)$       http://support.microsoft.com
RedirectMatch (.*)msadc(.*)$       http://support.microsoft.com
RedirectMatch (.*)MSADC(.*)$       http://support.microsoft.com
RedirectMatch (.*)winnt(.*)$       http://support.microsoft.com
RedirectMatch (.*)_mem_bin(.*)$    http://support.microsoft.com
RedirectMatch (.*)/scripts(.*)$    http://support.microsoft.com
RedirectMatch (.*)\/x90\/(.*)$     http://support.microsoft.com

I'm still getting them damn x90's though so that rule probably isn't quite right, gonna try yours.  Anytime one of those comes in one of my httpd process thrashes for about 2 minutes.

> So all this really accomplishes is it gives them a 301 instead of a
> 302... You still get cruft in your logs.

To de-cruft your logs do something like this:

SetEnvIf Request_URI "/default\.ida" exploit
SetEnvIf Request_URI "/c/winnt" exploit

etc. for each of the above rules, then to stop the log entries use:

CustomLog /var/log/apache/access_log combined env=!exploit

If you want to save the exploit attempts to a seperate log you can use:

CustomLog /var/log/apache/attack_log combined env=exploit 

Josh

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list