Date: Sun, 23 Sep 2001 14:13:31 -0700 From: faSty <fasty@i-sphere.com> To: David G Andersen <danderse@cs.utah.edu> Cc: freebsd-security@freebsd.org Subject: Re: New worm protection Message-ID: <20010923141330.A94941@i-sphere.com> In-Reply-To: <200109231818.f8NIIhl29053@faith.cs.utah.edu>; from danderse@cs.utah.edu on Sun, Sep 23, 2001 at 12:18:43PM -0600 References: <20010923141030.B546@shall.anarcat.dyndns.org> <200109231818.f8NIIhl29053@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
can you give me sample of statment that closes without output from the
webserver.
I tried use your statement seems not work and it simply
envade almost all 500 domains on my webservers. ugh
I hope your sample can handle all domains not just one domain.
let me know thanks
-trev
On Sun, Sep 23, 2001 at 12:18:43PM -0600, David G Andersen wrote:
> Sorry, should have mentioned that I have all .cgi files mapped
> to executables.
>
> Have it map to your /cgi-bin like you want.
>
> Name the script nph-<whatever> instead of just <whatever>, which
> tells the webserver that your script will generate ALL of the
> headers. Then the script can just close, and the worm
> won't get _any_ output from the webserver.
>
> Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect,
> which is obviously not what you want. You want to internally
> rewrite the URL so it gets handled transparently. Then, the
> result is quite pleasing:
>
> 131 eep:~/> telnet webby.angio.net 80
> Trying 206.197.119.138...
> Connected to webby.angio.net.
> Escape character is '^]'.
> GET /scripts/cmd.exe? HTTP/1.0
>
> Connection closed by foreign host.
>
> See? Very nice. :)
>
> Lo and behold, The Anarcat once said:
> >
> > On Sun, 23 Sep 2001, David G Andersen wrote:
> >
> > > Use mod_rewrite to redirect all accesses to that script.
> > >=20
> > > RewriteEngine on
> > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
> > >=20
> > > (I haven't tested this syntax. Test it first. :)
> >
> > Unfortunatly, I tested this using a text file, which is fine. Here, if I
> > try using a compiled C script (instead of a perl script, faster on a
> > small machine), the script gets dumped in binary form! Not executed!
> >
> > GET /root.exe
> > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e=
> > lf.so.FreeBSD=C0=B6
> > =2E..
> >
> > So I used the redirect approach:
> >
> > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.=
> > cgi
> >
> > sleep.c:
> > int main() {
> > sleep(5);
> > printf("Content-type: text/plain\n\n");
> > }
> >
> > This works. However, it generates a bit too much output:
> >
> > GET /cmd.exe
> > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> > <HTML><HEAD>
> > <TITLE>302 Found</TITLE>
> > </HEAD><BODY>
> > <H1>Found</H1>
> > The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P>
> > <HR>
> > <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS>
> > </BODY></HTML>
> >
> > ;)
> >
> > I really don't understand why the Rewrite rule doesn't work as expected.
> >
> > A.
> >
> > --VrqPEDrXMn8OVzN4
> > Content-Type: application/pgp-signature
> > Content-Disposition: inline
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (FreeBSD)
> > Comment: For info see http://www.gnupg.org
> >
> > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd
> > c+QAn324N8SSDAEyDviPsqrhDTujaXuP
> > =v3ql
> > -----END PGP SIGNATURE-----
> >
> > --VrqPEDrXMn8OVzN4--
> >
>
>
> --
> work: dga@lcs.mit.edu me: dga@pobox.com
> MIT Laboratory for Computer Science http://www.angio.net/
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
The primary theme of SoupCon is communication. The acronym "LEO"
represents the secondary theme:
Law Enforcement Officials
The overall theme of SoupCon shall be:
Avoiding Communication with Law Enforcement Officials
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923141330.A94941>