homepage Welcome to WebmasterWorld Guest from 54.161.166.171
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
that pesky regex stuff
creating the desired RewriteCond
wkitty42




msg:1518376
 2:28 am on May 20, 2003 (gmt 0)

i was reading aome very good stuff on regex the other day when i was by... i'm not sure i have /the/ handle on it, yet but i do have hold of the handle...

on an apache server, i've the following but it doesn't seem to work as desired... why? the desired effect is to trap the request, alter the user agent for the log, and dump them to the cgi... however, it doesn't seem that either of these rules works at all :(


# this ruleset is to "stop" stupid attempts to use MS IIS expolits on us
# NIMDA
RewriteCond %{REQUEST_URI} (.*)/cmd\.exe [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/root\.exe [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/admin\.dll [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/httpodbc\.dll [NC]
RewriteRule $ /cgi-bin/nonimda.cgi [L,PT,E=HTTP_USER_AGENT:NIMDA_EXPLOIT,T=application/x-httpd-cgi]

# CODERED
RewriteCond %{REQUEST_URI} /default\.ida [NC,OR]
RewriteCond %{REQUEST_URI} /default\.idq [NC,OR]
RewriteCond %{REQUEST_URI} /.*\.printer [NC]
RewriteRule $ /cgi-bin/nocode-r.cgi [L,PT,E=HTTP_USER_AGENT:CODERED_EXPLOIT,T=application/x-httpd-cgi]

advTHANKSance

 

jdMorgan




msg:1518377
 2:56 am on May 20, 2003 (gmt 0)

wkitty42,

Welcome to WebmasterWorld [webmasterworld.com]!

There is no need to use parenthesis here, unless you intend to back-reference the enclosed pattern. So, for example:

RewriteCond %{REQUEST_URI} (.*)/cmd\.exe [NC,OR]

could just as well be written as

RewriteCond %{REQUEST_URI} .*/cmd\.exe [NC,OR]

But that leaves an unanchored pattern starting with ".*" - which is redundant, so it further reduces to:

RewriteCond %{REQUEST_URI} /cmd\.exe [NC,OR]

The filename always ends with ".exe", so you can and should end-anchor it to reduce processing:
RewriteCond %{REQUEST_URI} /cmd\.exe$ [NC,OR]

Now the RewriteRule looks a bit funny, too. I'm not familiar with Pass-Thru mode, and not sure that you need it. I'm also not sure you can change the HTTP_USER_AGENT variable (please let me know if you do get it working 'cause it might be a good way to shorten my log entries for that stupid "default/xxxxxxxx...xxxxxxx" exploit) but the rule needs a correction to its pattern at the least:

RewriteRule .* /cgi-bin/nonimda.cgi [L,PT,E=HTTP_USER_AGENT:NIMDA_EXPLOIT,T=application/x-httpd-cgi]

Alternatively, you can try the following, which works on my server:

Options +FollowSymLinks
RewriteEngine on
RewriteRule /(cmd¦root¦shell)\.exe$ - [F]
RewriteRule \.ida - [F]
RewriteRule \_vti\_ - [F]
RewriteRule ^NULL - [NC,F]
RewriteRule bin/ - [NC,F]

This simply returns a 403 response - sort of a "get it over with quick" approach.

I don't know if any of the above will help with your problem - Hope so.
Jim

<added>Edit the "¦" characters and replace them with solid vertical pipes - the one on your keyboard. Posting on this board alters these characters.</added>

wkitty42




msg:1518378
 5:28 am on May 20, 2003 (gmt 0)

thanks, jdMorgan... you are probably correct that i don't really need the passthru mode with these since they're not aliased (currently) to something else...

i have taken your suggestions to heart and adjusted those plus another one... i believe that this is better but won't find out until they get hammered a bit...

here're my current results...

# this ruleset is to "stop" stupid attempts to use MS IIS expolits on us
# NIMDA
RewriteCond %{REQUEST_URI} /(cmd¦root¦shell)\.exe$ [NC,OR]
RewriteCond %{REQUEST_URI} /(admin¦httpodbc)\.dll$ [NC]
RewriteRule .* /cgi-bin/nonimda.cgi [L,PT,E=HTTP_USER_AGENT:NIMDA_EXPLOIT,T=application/x-httpd-cgi]

# CODERED
RewriteCond %{REQUEST_URI} /default\.(ida¦idq)$ [NC,OR]
RewriteCond %{REQUEST_URI} /.*\.printer$ [NC]
RewriteRule .* /cgi-bin/nocode-r.cgi [L,PT,E=HTTP_USER_AGENT:CODERED_EXPLOIT,T=application/x-httpd-cgi]

# this ruleset is for formmail script abusers...
RewriteCond %{REQUEST_URI} /formmail\.(pl¦cgi)$ [NC,OR]
RewriteCond %{REQUEST_URI} /mailto\.(exe¦cgi)$ [NC]
RewriteRule .* /cgi-bin/nofrmml.cgi [L,PT,E=HTTP_USER_AGENT:FORMMAIL_EXPLOIT,T=application/x-httpd-cgi]

i'm not sure that the user_agent rewrite will ever work as i hoped it would... i don't see a log entry for the pages that i am redirecting them to but that's kinda expected since these are internal rewrites... its not that big a deal right now, for me... my main goal, at that time, was to put in a user_agent so that they wouldn't be getting trapped by my blank user_agent trap... i fixed that by putting that trap below the others... hummm... maybe the passthru is still letting them get to it? <scratching head> well, i'll find out with the formmail stuff as its almost identicle in many cases...

FWIW: the system is running Apache/2 on IBM's OS/2 operating system... i don't think that it has very many differences in operation than a *nix version but anything's possible :)

(aside: whoa! that was wierd... i was writting this reply and when i submitted it, it came back and told me the thread was closed, hahahaha... glad i copied all the above to the clipboard for pasting here... i had a very good idea that the thread had been moved... just wasn't sure from the start where to post it but i knew that regex stuff had been covered over there in the perl/php forum)

jdMorgan




msg:1518379
 5:42 am on May 20, 2003 (gmt 0)

wkitty42,

Well it looks good to me... It's really nice when someone studies-up on this stuff before posting like you did. It makes answering the questions a lot easier!

Let us know how it turns out,
Jim

wkitty42




msg:1518380
 5:48 am on May 20, 2003 (gmt 0)

will do, jdMorgan... i've been running my own server since '97 and have spent a lot of time with it... there's a huge amount of information available on the 'net about a lot of this stuff... i believe that i probably got some of it from this site over the years... what triggered me with this thread was some stuff about bot banning... i've ~170 or so bots listed in my list and i've gathered them from all over the web as well as from my log files...

i do try to get on top of things and help others as much as i can... hopefully i can make a difference in someone else's life... hopefully that difference will one of making something easier or understandable... been at this stuff for 20+ years... i ought to be halfway decent at something <<<GGG>>>

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved