httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike <mike.li...@levrah.net>
Subject Re: [users@httpd] blocking one address
Date Fri, 29 Aug 2003 01:10:51 GMT
At 07:40 PM 8/28/2003, you wrote:
>How can I block requests from a certain ip in Apache?  There is some virus 
>(I think) bombarding me with requests for many different things.
>Some examples (cut times to avoid wrapping, but this group was all within 
>about 2 secs):
>
>68.52.102.47 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 -
>68.52.102.47 "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 -
>68.52.102.47 "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 -
>68.52.102.47 "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 -
>68.52.102.47 "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 400 226
>68.52.102.47 "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 400 226
>68.52.102.47 "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 -
>68.52.102.47 "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 -
>
>
>Luckily I'm not running NT.  I suppose a better idea would be to block 
>this address from iptables.  Any hints on how to do either of these things?
>
>Another question:  I get the /default.ida (Code Red II virus) requests a 
>lot but from far too many different ips to making blocking the addresses a 
>solution.  I was returning my 404 page at about 250 bytes each time so I 
>just made a 0 length default.ida, not 0 bytes get returned.  However I 
>can't do that in this case, anyway to tell apache to return 0 bytes when 
>somethings looks for, say, the /scripts dir (which I don't have/need).
>
>TIA
>Michael

Mike.

You're seeing code red and/or nimba (from ages ago) hits from machines that 
are *still* infected.

To deal with these things, I have the following in my httpd.conf:

# Redirect Code Red, NIMDA and other inappropriate access attempts to 
invalid URL
Redirect /_mem_bin http://www.request.invalid
Redirect /_vti_bin http://www.request.invalid
Redirect /c http://www.request.invalid
Redirect /d http://www.request.invalid
Redirect /msadc http://www.request.invalid
Redirect /MSADC http://www.request.invalid
Redirect /scripts http://www.request.invalid
Redirect /sumthin http://www.request.invalid
RedirectMatch ^.*\.(dll|ida)*$ http://127.0.0.1/$1
RedirectMatch (.*)\cmd.exe$ http://127.0.0.1/$1

Put those in your httpd.conf file (assuming you have access to your box and 
assuming the machine isn't a windoze web server) and then restart apache.

HTH.
-mike 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message