httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike <mike.li...@levrah.net>
Subject Re: [users@httpd] blocking one address
Date Fri, 29 Aug 2003 01:52:01 GMT
At 08:41 PM 8/28/2003, you wrote:
>At 08:10 PM 8.28.2003 -0500, Mike wrote:
> >At 07:40 PM 8/28/2003, you wrote:
> >>How can I block requests from a certain ip in Apache?  There is some virus
> >>(I think) bombarding me with requests for many different things.
> >>Some examples (cut times to avoid wrapping, but this group was all within
> >>about 2 secs):
> >>
> >>68.52.102.47 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
> >>HTTP/1.0" 404 -
> >>68.52.102.47 "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
> >>HTTP/1.0" 404 -
> >>68.52.102.47 "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
> >>HTTP/1.0" 404 -
> >>68.52.102.47 "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
> >>HTTP/1.0" 404 -
> >>68.52.102.47 "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
> >>HTTP/1.0" 400 226
> >>68.52.102.47 "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
> >>HTTP/1.0" 400 226
> >>68.52.102.47 "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> >>HTTP/1.0" 404 -
> >>68.52.102.47 "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
> >>HTTP/1.0" 404 -
> >>
> >>
> >>Luckily I'm not running NT.  I suppose a better idea would be to block
> >>this address from iptables.  Any hints on how to do either of these things?
> >>
> >>Another question:  I get the /default.ida (Code Red II virus) requests a
> >>lot but from far too many different ips to making blocking the addresses a
> >>solution.  I was returning my 404 page at about 250 bytes each time so I
> >>just made a 0 length default.ida, not 0 bytes get returned.  However I
> >>can't do that in this case, anyway to tell apache to return 0 bytes when
> >>somethings looks for, say, the /scripts dir (which I don't have/need).
> >>
> >>TIA
> >>Michael
> >
> >Mike.
> >
> >You're seeing code red and/or nimba (from ages ago) hits from machines that
> >are *still* infected.
> >
> >To deal with these things, I have the following in my httpd.conf:
> >
> ># Redirect Code Red, NIMDA and other inappropriate access attempts to
> >invalid URL
> >Redirect /_mem_bin http://www.request.invalid
> >Redirect /_vti_bin http://www.request.invalid
> >Redirect /c http://www.request.invalid
> >Redirect /d http://www.request.invalid
> >Redirect /msadc http://www.request.invalid
> >Redirect /MSADC http://www.request.invalid
> >Redirect /scripts http://www.request.invalid
> >Redirect /sumthin http://www.request.invalid
> >RedirectMatch ^.*\.(dll|ida)*$ http://127.0.0.1/$1
> >RedirectMatch (.*)\cmd.exe$ http://127.0.0.1/$1
> >
> >Put those in your httpd.conf file (assuming you have access to your box and
> >assuming the machine isn't a windoze web server) and then restart apache.
> >
> >HTH.
> >-mike
> >
>
>Very interesting tip! Exactly where do you place those redirects in the
>httpd.conf, especially if there are vhosts in the httpd.conf...? Or, are
>they global...?
>
>I like the looks of this....
>
>Best regards,
>Jack L. Stone,
>Administrator

Jack.

I have vhosts defined in mine too. Those redirects are above the vhost 
definitions.

HTH
-mike 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message