Date: Sun, 23 Sep 2001 12:18:43 -0600 (MDT) From: David G Andersen <danderse@cs.utah.edu> To: anarcat@anarcat.dyndns.org (The Anarcat) Cc: danderse@cs.utah.edu (David G Andersen), smithi@nimnet.asn.au (Ian Smith), chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <200109231818.f8NIIhl29053@faith.cs.utah.edu> In-Reply-To: <20010923141030.B546@shall.anarcat.dyndns.org> from "The Anarcat" at Sep 23, 2001 02:10:31 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, should have mentioned that I have all .cgi files mapped to executables. Have it map to your /cgi-bin like you want. Name the script nph-<whatever> instead of just <whatever>, which tells the webserver that your script will generate ALL of the headers. Then the script can just close, and the worm won't get _any_ output from the webserver. Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, which is obviously not what you want. You want to internally rewrite the URL so it gets handled transparently. Then, the result is quite pleasing: 131 eep:~/> telnet webby.angio.net 80 Trying 206.197.119.138... Connected to webby.angio.net. Escape character is '^]'. GET /scripts/cmd.exe? HTTP/1.0 Connection closed by foreign host. See? Very nice. :) Lo and behold, The Anarcat once said: > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > Use mod_rewrite to redirect all accesses to that script. > >=20 > > RewriteEngine on > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > >=20 > > (I haven't tested this syntax. Test it first. :) > > Unfortunatly, I tested this using a text file, which is fine. Here, if I > try using a compiled C script (instead of a perl script, faster on a > small machine), the script gets dumped in binary form! Not executed! > > GET /root.exe > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= > lf.so.FreeBSD=C0=B6 > =2E.. > > So I used the redirect approach: > > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= > cgi > > sleep.c: > int main() { > sleep(5); > printf("Content-type: text/plain\n\n"); > } > > This works. However, it generates a bit too much output: > > GET /cmd.exe > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <HTML><HEAD> > <TITLE>302 Found</TITLE> > </HEAD><BODY> > <H1>Found</H1> > The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P> > <HR> > <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS> > </BODY></HTML> > > ;) > > I really don't understand why the Rewrite rule doesn't work as expected. > > A. > > --VrqPEDrXMn8OVzN4 > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd > c+QAn324N8SSDAEyDviPsqrhDTujaXuP > =v3ql > -----END PGP SIGNATURE----- > > --VrqPEDrXMn8OVzN4-- > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109231818.f8NIIhl29053>