From owner-freebsd-security Sun Sep 23 11:18:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id A058137B429 for ; Sun, 23 Sep 2001 11:18:45 -0700 (PDT) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id f8NIIiT25761; Sun, 23 Sep 2001 12:18:44 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id f8NIIhl29053; Sun, 23 Sep 2001 12:18:43 -0600 (MDT) Message-Id: <200109231818.f8NIIhl29053@faith.cs.utah.edu> Subject: Re: New worm protection To: anarcat@anarcat.dyndns.org (The Anarcat) Date: Sun, 23 Sep 2001 12:18:43 -0600 (MDT) Cc: danderse@cs.utah.edu (David G Andersen), smithi@nimnet.asn.au (Ian Smith), chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG In-Reply-To: <20010923141030.B546@shall.anarcat.dyndns.org> from "The Anarcat" at Sep 23, 2001 02:10:31 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, should have mentioned that I have all .cgi files mapped to executables. Have it map to your /cgi-bin like you want. Name the script nph- instead of just , which tells the webserver that your script will generate ALL of the headers. Then the script can just close, and the worm won't get _any_ output from the webserver. Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, which is obviously not what you want. You want to internally rewrite the URL so it gets handled transparently. Then, the result is quite pleasing: 131 eep:~/> telnet webby.angio.net 80 Trying 206.197.119.138... Connected to webby.angio.net. Escape character is '^]'. GET /scripts/cmd.exe? HTTP/1.0 Connection closed by foreign host. See? Very nice. :) Lo and behold, The Anarcat once said: > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > Use mod_rewrite to redirect all accesses to that script. > >=20 > > RewriteEngine on > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > >=20 > > (I haven't tested this syntax. Test it first. :) > > Unfortunatly, I tested this using a text file, which is fine. Here, if I > try using a compiled C script (instead of a perl script, faster on a > small machine), the script gets dumped in binary form! Not executed! > > GET /root.exe > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= > lf.so.FreeBSD=C0=B6 > =2E.. > > So I used the redirect approach: > > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= > cgi > > sleep.c: > int main() { > sleep(5); > printf("Content-type: text/plain\n\n"); > } > > This works. However, it generates a bit too much output: > > GET /cmd.exe > > > 302 Found > >

Found

> The document has moved here.

Apache/1.3.20 Server at anarcat.dyndns.org Port 80

> > > ;) > > I really don't understand why the Rewrite rule doesn't work as expected. > > A. > > --VrqPEDrXMn8OVzN4 > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd > c+QAn324N8SSDAEyDviPsqrhDTujaXuP > =v3ql > -----END PGP SIGNATURE----- > > --VrqPEDrXMn8OVzN4-- > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message