From owner-freebsd-security  Sun Sep 23 14:13:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70])
	by hub.freebsd.org (Postfix) with ESMTP id 3429437B438
	for <freebsd-security@freebsd.org>; Sun, 23 Sep 2001 14:12:57 -0700 (PDT)
Received: (from fasty@localhost)
	by I-Sphere.COM (8.11.6/8.11.6) id f8NLDVD95333;
	Sun, 23 Sep 2001 14:13:31 -0700 (PDT)
	(envelope-from fasty)
Date: Sun, 23 Sep 2001 14:13:31 -0700
From: faSty <fasty@i-sphere.com>
To: David G Andersen <danderse@cs.utah.edu>
Cc: freebsd-security@freebsd.org
Subject: Re: New worm protection
Message-ID: <20010923141330.A94941@i-sphere.com>
References: <20010923141030.B546@shall.anarcat.dyndns.org> <200109231818.f8NIIhl29053@faith.cs.utah.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200109231818.f8NIIhl29053@faith.cs.utah.edu>; from danderse@cs.utah.edu on Sun, Sep 23, 2001 at 12:18:43PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

can you give me sample of statment that closes without output from the
webserver.

I tried use your statement seems not work and it simply
envade almost all 500 domains on my webservers. ugh

I hope your sample can handle all domains not just one domain.

let me know thanks

-trev

On Sun, Sep 23, 2001 at 12:18:43PM -0600, David G Andersen wrote:
> Sorry, should have mentioned that I have all .cgi files mapped
> to executables.
> 
> Have it map to your /cgi-bin like you want.
> 
> Name the script nph-<whatever> instead of just <whatever>, which
> tells the webserver that your script will generate ALL of the
> headers.  Then the script can just close, and the worm
> won't get _any_ output from the webserver.
> 
> Use RewriteRule, not RedirectMatch.  RedirectMatch sends a redirect,
> which is obviously not what you want.  You want to internally 
> rewrite the URL so it gets handled transparently.  Then, the 
> result is quite pleasing:
> 
> 131 eep:~/> telnet webby.angio.net 80
> Trying 206.197.119.138...
> Connected to webby.angio.net.
> Escape character is '^]'.
> GET /scripts/cmd.exe? HTTP/1.0
> 
> Connection closed by foreign host.
> 
> See?  Very nice. :)
> 
> Lo and behold, The Anarcat once said:
> > 
> > On Sun, 23 Sep 2001, David G Andersen wrote:
> > 
> > >   Use mod_rewrite to redirect all accesses to that script.
> > >=20
> > > RewriteEngine on
> > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
> > >=20
> > > (I haven't tested this syntax.  Test it first. :)
> > 
> > Unfortunatly, I tested this using a text file, which is fine. Here, if I
> > try using a compiled C script (instead of a perl script, faster on a
> > small machine), the script gets dumped in binary form! Not executed!
> > 
> > GET /root.exe
> > ELF     =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e=
> > lf.so.FreeBSD=C0=B6
> > =2E..
> > 
> > So I used the redirect approach:
> > 
> > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.=
> > cgi
> > 
> > sleep.c:
> > int main() {
> >   sleep(5);
> >   printf("Content-type: text/plain\n\n");
> > }
> > 
> > This works. However, it generates a bit too much output:
> > 
> > GET /cmd.exe
> > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> > <HTML><HEAD>
> > <TITLE>302 Found</TITLE>
> > </HEAD><BODY>
> > <H1>Found</H1>
> > The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P>
> > <HR>
> > <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS>
> > </BODY></HTML>
> > 
> > ;)
> > 
> > I really don't understand why the Rewrite rule doesn't work as expected.
> > 
> > A.
> > 
> > --VrqPEDrXMn8OVzN4
> > Content-Type: application/pgp-signature
> > Content-Disposition: inline
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (FreeBSD)
> > Comment: For info see http://www.gnupg.org
> > 
> > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd
> > c+QAn324N8SSDAEyDviPsqrhDTujaXuP
> > =v3ql
> > -----END PGP SIGNATURE-----
> > 
> > --VrqPEDrXMn8OVzN4--
> > 
> 
> 
> -- 
> work: dga@lcs.mit.edu                          me:  dga@pobox.com
>       MIT Laboratory for Computer Science           http://www.angio.net/
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
The primary theme of SoupCon is communication.  The acronym "LEO"
represents the secondary theme:

	Law Enforcement Officials

The overall theme of SoupCon shall be:

	Avoiding Communication with Law Enforcement Officials

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message