Date: Sun, 23 Sep 2001 14:10:31 -0400 From: The Anarcat <anarcat@anarcat.dyndns.org> To: David G Andersen <danderse@cs.utah.edu> Cc: Ian Smith <smithi@nimnet.asn.au>, Chris Byrnes <chris@JEAH.net>, security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923141030.B546@shall.anarcat.dyndns.org> In-Reply-To: <200109231703.f8NH3NK24837@faith.cs.utah.edu> References: <Pine.BSF.3.96.1010924022816.9322B-100000@gaia.nimnet.asn.au> <200109231703.f8NH3NK24837@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--VrqPEDrXMn8OVzN4 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Unfortunatly, I tested this using a text file, which is fine. Here, if I try using a compiled C script (instead of a perl script, faster on a small machine), the script gets dumped in binary form! Not executed! GET /root.exe ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= lf.so.FreeBSD=C0=B6 =2E.. So I used the redirect approach: RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= cgi sleep.c: int main() { sleep(5); printf("Content-type: text/plain\n\n"); } This works. However, it generates a bit too much output: GET /cmd.exe <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P> <HR> <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS> </BODY></HTML> ;) I really don't understand why the Rewrite rule doesn't work as expected. A. --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd c+QAn324N8SSDAEyDviPsqrhDTujaXuP =v3ql -----END PGP SIGNATURE----- --VrqPEDrXMn8OVzN4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923141030.B546>