[TCLUG] [OT] Apache rewrite for MS BS

Fri Aug 13 08:31:05 CDT 2004

The answer!

Visit http://216.239.59.104/search?q=cache:rwdycvp0zwoJ:www.geocities.com/tomhudson411/log_breakin_attempts/+&hl=en

(the site was second-hand slashdotted today)

This is his mod_rewrite.conf:
# author: tom hudson
# email:  tomhudson411 at yahoo.com
# my rewrite rules to kill off probes
# original idea from tenor at macosxhints forum
# replace "REPLACE_YOUR_SERVERS_IP" with either your server's
# ip, or if you don't have a (semi)static ip,
# a dns alias from one of the free dns services
# (no-ip.com, afraid,org, dyndns.org)

	RewriteEngine on
	RedirectMatch permanent (.*)command.com(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.com"
	RedirectMatch permanent (.*)COMMAND.COM(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.com"
	RedirectMatch permanent (.*)command.exe(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.exe"
	RedirectMatch permanent (.*)COMMAND.EXE(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.exe"
	RedirectMatch permanent (.*)cmd.exe(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=cmd.exe"
	RedirectMatch permanent (.*)CMD.EXE(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=cmd.exe"
	RedirectMatch permanent (.*)root.exe(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=root.exe"
	RedirectMatch permanent (.*)ROOT.EXE(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=root.exe"
	RedirectMatch permanent (.*)[\\|\/]_vti_bin[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=vtibin"
	RedirectMatch permanent (.*)[\\|\/]_VTI_BIN[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=vtibin"
	RedirectMatch permanent (.*)[\\|\/]winnt[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=winnt"
	RedirectMatch permanent (.*)[\\|\/]WINNT[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=winnt"
	RedirectMatch permanent (.*)[\\|\/]scripts[\\|\/]\.\.(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=scripts"
	RedirectMatch permanent (.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=scripts"
	RedirectMatch permanent (.*)[\\|\/]_mem_bin[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=membin"
	RedirectMatch permanent (.*)[\\|\/]_MEM_BIN[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=membin"
	RedirectMatch permanent (.*)[\\|\/]msadc[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=msadc"
	RedirectMatch permanent (.*)[\\|\/]MSADC[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=msadc"
	RedirectMatch permanent (.*)[\\|\/]x90[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=webdav+attack"
	RedirectMatch permanent (.*)[\\|\/]X90[\\|\/](.*)$
"http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=webdav+attack"

Hope that helps.

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list