From owner-freebsd-security Sun Sep 23 11:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts11-srv.bellnexxia.net (tomts11.bellnexxia.net [209.226.175.55]) by hub.freebsd.org (Postfix) with ESMTP id 40B9537B436 for ; Sun, 23 Sep 2001 11:52:22 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.92.169.79]) by tomts11-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010923185221.PLBO17886.tomts11-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Sun, 23 Sep 2001 14:52:21 -0400 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id EC5941A66; Sun, 23 Sep 2001 14:52:16 -0400 (EDT) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id B269220B4A; Sun, 23 Sep 2001 14:52:11 -0400 (EDT) Date: Sun, 23 Sep 2001 14:52:10 -0400 From: The Anarcat To: David G Andersen Cc: Ian Smith , Chris Byrnes , security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923145210.C546@shall.anarcat.dyndns.org> References: <20010923141030.B546@shall.anarcat.dyndns.org> <200109231818.f8NIIhl29053@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NKoe5XOeduwbEQHU" Content-Disposition: inline In-Reply-To: <200109231818.f8NIIhl29053@faith.cs.utah.edu> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NKoe5XOeduwbEQHU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Sorry, should have mentioned that I have all .cgi files mapped > to executables. > > Have it map to your /cgi-bin like you want. I had cgi configuration problems. They're fixed. :) > Name the script nph- instead of just , which > tells the webserver that your script will generate ALL of the > headers. Then the script can just close, and the worm > won't get _any_ output from the webserver. Interesting. I didn't know of this feature. > Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, > which is obviously not what you want. You want to internally=20 > rewrite the URL so it gets handled transparently. Then, the=20 > result is quite pleasing: >=20 > 131 eep:~/> telnet webby.angio.net 80 > Trying 206.197.119.138... > Connected to webby.angio.net. > Escape character is '^]'. > GET /scripts/cmd.exe? HTTP/1.0 >=20 > Connection closed by foreign host. >=20 > See? Very nice. :) Very nice indeed. I have the same result here now. :) Without the perl overhead. :) :) A. --NKoe5XOeduwbEQHU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuL1kACgkQttcWHAnWiGcipQCfdjLyAq5S39dvrHDU+s6kEGhu F94An18y8UO0IV4Too1BiyI0XAFE8pek =Q0/r -----END PGP SIGNATURE----- --NKoe5XOeduwbEQHU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message