Date: Sun, 23 Sep 2001 12:18:43 -0600 (MDT) From: David G Andersen <danderse@cs.utah.edu> To: anarcat@anarcat.dyndns.org (The Anarcat) Cc: danderse@cs.utah.edu (David G Andersen), smithi@nimnet.asn.au (Ian Smith), chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <200109231818.f8NIIhl29053@faith.cs.utah.edu> In-Reply-To: <20010923141030.B546@shall.anarcat.dyndns.org> from "The Anarcat" at Sep 23, 2001 02:10:31 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, should have mentioned that I have all .cgi files mapped
to executables.
Have it map to your /cgi-bin like you want.
Name the script nph-<whatever> instead of just <whatever>, which
tells the webserver that your script will generate ALL of the
headers. Then the script can just close, and the worm
won't get _any_ output from the webserver.
Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect,
which is obviously not what you want. You want to internally
rewrite the URL so it gets handled transparently. Then, the
result is quite pleasing:
131 eep:~/> telnet webby.angio.net 80
Trying 206.197.119.138...
Connected to webby.angio.net.
Escape character is '^]'.
GET /scripts/cmd.exe? HTTP/1.0
Connection closed by foreign host.
See? Very nice. :)
Lo and behold, The Anarcat once said:
>
> On Sun, 23 Sep 2001, David G Andersen wrote:
>
> > Use mod_rewrite to redirect all accesses to that script.
> >=20
> > RewriteEngine on
> > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
> >=20
> > (I haven't tested this syntax. Test it first. :)
>
> Unfortunatly, I tested this using a text file, which is fine. Here, if I
> try using a compiled C script (instead of a perl script, faster on a
> small machine), the script gets dumped in binary form! Not executed!
>
> GET /root.exe
> ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e=
> lf.so.FreeBSD=C0=B6
> =2E..
>
> So I used the redirect approach:
>
> RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.=
> cgi
>
> sleep.c:
> int main() {
> sleep(5);
> printf("Content-type: text/plain\n\n");
> }
>
> This works. However, it generates a bit too much output:
>
> GET /cmd.exe
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>302 Found</TITLE>
> </HEAD><BODY>
> <H1>Found</H1>
> The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P>
> <HR>
> <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS>
> </BODY></HTML>
>
> ;)
>
> I really don't understand why the Rewrite rule doesn't work as expected.
>
> A.
>
> --VrqPEDrXMn8OVzN4
> Content-Type: application/pgp-signature
> Content-Disposition: inline
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd
> c+QAn324N8SSDAEyDviPsqrhDTujaXuP
> =v3ql
> -----END PGP SIGNATURE-----
>
> --VrqPEDrXMn8OVzN4--
>
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109231818.f8NIIhl29053>