Welcome to WebmasterWorld Guest from 54.167.177.207

Forum Moderators: Ocean10000 & incrediBILL & phranque

that pesky regex stuff

creating the desired RewriteCond

   
2:28 am on May 20, 2003 (gmt 0)

10+ Year Member



i was reading aome very good stuff on regex the other day when i was by... i'm not sure i have /the/ handle on it, yet but i do have hold of the handle...

on an apache server, i've the following but it doesn't seem to work as desired... why? the desired effect is to trap the request, alter the user agent for the log, and dump them to the cgi... however, it doesn't seem that either of these rules works at all :(


# this ruleset is to "stop" stupid attempts to use MS IIS expolits on us
# NIMDA
RewriteCond %{REQUEST_URI} (.*)/cmd\.exe [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/root\.exe [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/admin\.dll [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/httpodbc\.dll [NC]
RewriteRule $ /cgi-bin/nonimda.cgi [L,PT,E=HTTP_USER_AGENT:NIMDA_EXPLOIT,T=application/x-httpd-cgi]

# CODERED
RewriteCond %{REQUEST_URI} /default\.ida [NC,OR]
RewriteCond %{REQUEST_URI} /default\.idq [NC,OR]
RewriteCond %{REQUEST_URI} /.*\.printer [NC]
RewriteRule $ /cgi-bin/nocode-r.cgi [L,PT,E=HTTP_USER_AGENT:CODERED_EXPLOIT,T=application/x-httpd-cgi]

advTHANKSance

2:56 am on May 20, 2003 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



wkitty42,

Welcome to WebmasterWorld [webmasterworld.com]!

There is no need to use parenthesis here, unless you intend to back-reference the enclosed pattern. So, for example:


RewriteCond %{REQUEST_URI} (.*)/cmd\.exe [NC,OR]

could just as well be written as

RewriteCond %{REQUEST_URI} .*/cmd\.exe [NC,OR]

But that leaves an unanchored pattern starting with ".*" - which is redundant, so it further reduces to:

RewriteCond %{REQUEST_URI} /cmd\.exe [NC,OR]

The filename always ends with ".exe", so you can and should end-anchor it to reduce processing:
RewriteCond %{REQUEST_URI} /cmd\.exe$ [NC,OR]

Now the RewriteRule looks a bit funny, too. I'm not familiar with Pass-Thru mode, and not sure that you need it. I'm also not sure you can change the HTTP_USER_AGENT variable (please let me know if you do get it working 'cause it might be a good way to shorten my log entries for that stupid "default/xxxxxxxx...xxxxxxx" exploit) but the rule needs a correction to its pattern at the least:


RewriteRule .* /cgi-bin/nonimda.cgi [L,PT,E=HTTP_USER_AGENT:NIMDA_EXPLOIT,T=application/x-httpd-cgi]

Alternatively, you can try the following, which works on my server:

Options +FollowSymLinks
RewriteEngine on
RewriteRule /(cmd¦root¦shell)\.exe$ - [F]
RewriteRule \.ida - [F]
RewriteRule \_vti\_ - [F]
RewriteRule ^NULL - [NC,F]
RewriteRule bin/ - [NC,F]

This simply returns a 403 response - sort of a "get it over with quick" approach.

I don't know if any of the above will help with your problem - Hope so.
Jim

<added>Edit the "¦" characters and replace them with solid vertical pipes - the one on your keyboard. Posting on this board alters these characters.</added>

5:28 am on May 20, 2003 (gmt 0)

10+ Year Member



thanks, jdMorgan... you are probably correct that i don't really need the passthru mode with these since they're not aliased (currently) to something else...

i have taken your suggestions to heart and adjusted those plus another one... i believe that this is better but won't find out until they get hammered a bit...

here're my current results...

 # this ruleset is to "stop" stupid attempts to use MS IIS expolits on us
# NIMDA
RewriteCond %{REQUEST_URI} /(cmd¦root¦shell)\.exe$ [NC,OR]
RewriteCond %{REQUEST_URI} /(admin¦httpodbc)\.dll$ [NC]
RewriteRule .* /cgi-bin/nonimda.cgi [L,PT,E=HTTP_USER_AGENT:NIMDA_EXPLOIT,T=application/x-httpd-cgi]

# CODERED
RewriteCond %{REQUEST_URI} /default\.(ida¦idq)$ [NC,OR]
RewriteCond %{REQUEST_URI} /.*\.printer$ [NC]
RewriteRule .* /cgi-bin/nocode-r.cgi [L,PT,E=HTTP_USER_AGENT:CODERED_EXPLOIT,T=application/x-httpd-cgi]

# this ruleset is for formmail script abusers...
RewriteCond %{REQUEST_URI} /formmail\.(pl¦cgi)$ [NC,OR]
RewriteCond %{REQUEST_URI} /mailto\.(exe¦cgi)$ [NC]
RewriteRule .* /cgi-bin/nofrmml.cgi [L,PT,E=HTTP_USER_AGENT:FORMMAIL_EXPLOIT,T=application/x-httpd-cgi]

i'm not sure that the user_agent rewrite will ever work as i hoped it would... i don't see a log entry for the pages that i am redirecting them to but that's kinda expected since these are internal rewrites... its not that big a deal right now, for me... my main goal, at that time, was to put in a user_agent so that they wouldn't be getting trapped by my blank user_agent trap... i fixed that by putting that trap below the others... hummm... maybe the passthru is still letting them get to it? <scratching head> well, i'll find out with the formmail stuff as its almost identicle in many cases...

FWIW: the system is running Apache/2 on IBM's OS/2 operating system... i don't think that it has very many differences in operation than a *nix version but anything's possible :)

(aside: whoa! that was wierd... i was writting this reply and when i submitted it, it came back and told me the thread was closed, hahahaha... glad i copied all the above to the clipboard for pasting here... i had a very good idea that the thread had been moved... just wasn't sure from the start where to post it but i knew that regex stuff had been covered over there in the perl/php forum)

5:42 am on May 20, 2003 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



wkitty42,

Well it looks good to me... It's really nice when someone studies-up on this stuff before posting like you did. It makes answering the questions a lot easier!

Let us know how it turns out,
Jim

5:48 am on May 20, 2003 (gmt 0)

10+ Year Member



will do, jdMorgan... i've been running my own server since '97 and have spent a lot of time with it... there's a huge amount of information available on the 'net about a lot of this stuff... i believe that i probably got some of it from this site over the years... what triggered me with this thread was some stuff about bot banning... i've ~170 or so bots listed in my list and i've gathered them from all over the web as well as from my log files...

i do try to get on top of things and help others as much as i can... hopefully i can make a difference in someone else's life... hopefully that difference will one of making something easier or understandable... been at this stuff for 20+ years... i ought to be halfway decent at something <<<GGG>>>

 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month