Forum Moderators: phranque
These requests have many variations of subdirectories, but the vast majority are for /cmd.exe and a few /root.exe files. To a lesser degree, requests for /nsiislog.dll are showing up as well. The subdirectories in the requests don't even exist on my server, so even if those files did exist, they are looking in the wrong place.
Is there a way to block requests for certain file types from many IPs? Or would I have to manually add each IP that does a request for one of those documents?
Welcome to WebmasterWorld!
You can use mod_rewrite to detect requests for those specific files, or for certain file types, and return a 403-Forbidden response if you so desire. Since the files don't exist on your server, though, the only possible benefits are that you can save some bandwidth if your custom 403 error page is smaller than your custom 404 error page, and the slight possibility that whatever programs are requesting those pages might be smart enough to drop your domain if they think they've been "found out" due to the 403 response.
Even with a 403-Forbidden response, your server still responds to their request, and you'll still see entries in your access log. So, you can "block" the requests if you like, but it doesn't really accomplish much.
Jim
Thank you for the welcome, and thanks for your reply. I'm glad I found WebMasterWorld, I have found a lot of interesting info here already.
The requests come from many IPs, several are from Russia, so I guess I'll just watch the logs closely to see if there is a pattern and act on it accordingly.
Thanks again, and I'm looking forward to learning a lot from this site.
Rick
This will keep the "SEARCH /\x90\x02\xb1..." from spamming the access log. It will still show up as a 414 but stops the 25+ lines of attempted buffer overflow.
LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
The following will keep other attacks from showing up in the access log. Note however that they will show in your error log.
# Code Red
SetEnvIf Request_URI "^/default\.(ida¦idq)(.*)$" nolog# Nimda
SetEnvIf Request_URI "(cmd¦root¦shell)\.exe(.*)$" nolog
SetEnvIf Request_URI "(admin¦httpodbc)\.dll(.*)$" nolog# Windows Media Attack
SetEnvIf Request_URI "nsiislog\.dll(.*)$" nolog# Proxy scan
SetEnvIf Request_URI "prxjdg.cgi" nolog
Alternately, if you wanted to log any of these to a seperate log file you would just need to insert the name of the log before "nolog" as in:
# Proxy scan
SetEnvIf Request_URI "prxjdg.cgi" proxy nolog
Once you've added the above lines to your httpd.conf file you'll need to tell Apache not to log the nolog lines in your chosen format (for me it is "combined"). To do that, add the following:
CustomLog logs/access.log combined env=!nolog
If you wish to log entries into specific log files, as in the proxy example above, add this before your access log "CustomLog" entry:
CustomLog logs/proxy.log combined env=proxy
This will keep your access log from getting filled with unsuccessful crack attempts aimed at an IIS (Microsoft's Web server) which are of no real worry to you at all.
-ben
Anyway, I was reading about Code Red II, since I've been getting a tremendous amount of requests for default.ida lately, and came across an interesting idea. I wanted to see what others thought about it, so I'll ask it here first.
The article I read described how much bandwidth could be used by these attacks, and had a solution - or at least a partial solution - create a zero bit file with that name. The bandwidth would be reduced, and the offending server would be presented with a blank page.
Are there any drawbacks for this kind of "defense"? If not, would it be a good idea to create the most often requested files and do the same, as well as use Ben's suggestion?
I combine the techniques by internally rewriting requests for those files to a subdirectory. All access to that subdirectory is forbidden, except for the custom 403 error page in that subdirectory which is... zero bytes long. So, they get a 403 response status header and an empty content-body.
The zero-byte file is a fairly common technique. Some hosting companies do this as standard practice -- whether their hosted users want/know about it or not. I just added the 403 status trick.
Jim
I guess redirecting them to a 403 error and preventing those requests from being logged is the best way to go. Adding all the files and directories would be time consuming.
HTH, and best wishes,
Andy.
You don't have to add files and directories, just rules that redirect those requests to your handler. That's the beauty of rewriting -- the requested URLs don't have to exists at all. :)
Jim
Thanks for the suggestion, I'll check it out.
And Jim,
I was considering - before your last post - adding the directories and files that are being requested the most, but after your reply, I decided to go with your suggestion instead (as well as Ben's suggestion above).
Rick
I'm not sure what the correct syntax is for rewriting to a 403 page. I guess it shows my lack of knowledge on the subject...
Here is what I have, but it doesn't seem to work:
RewriteCond "%{QUERY_STRING}" "*.exe=([^=]*)"
RewriteCond "%{QUERY_STRING}" "*.dll=([^=]*)"
RewriteCond "%{QUERY_STRING}" "*.ida=([^=]*)"
RewriteRule "^/$" "/403.html" [R]
Where am I going wrong?
Also, is there a specific location in httpd.conf that this should go?
Jim
Maybe it would be a good idea to have the forum direct new users - such as myself - to the charter page before new posts can be made. I haven't seen that page before, but I realized that there are more resources than I originally thought by that one page alone.
I've posted to several other forums, but none have a charter page describing proper etiquette like WebmaserWorld has. It would make a lot of sense - as well as save a lot of time for the moderators - if new members were to read it before making posts.
Sorry to ask such a direct question and waste your time. I'll make sure that I research my problem more thoroughly before posting next time.
Rick
