httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Wilson <dwil...@bayes1.com>
Subject Re: [users@httpd] blocking one address
Date Fri, 29 Aug 2003 13:58:57 GMT
Hello

When you say, "isn't a windoze web server", do you mean that I should not 
use this patch? if I am using a quote windoze web Server.  (Currently I 
have Win XP running Apache2 (2..0.47)).

Thanks
Dan

At 08:10 PM 8/28/2003 -0500, you wrote:
>At 07:40 PM 8/28/2003, you wrote:
>>How can I block requests from a certain ip in Apache?  There is some 
>>virus (I think) bombarding me with requests for many different things.
>>Some examples (cut times to avoid wrapping, but this group was all within 
>>about 2 secs):
>>
>>68.52.102.47 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 400 226
>>68.52.102.47 "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 400 226
>>68.52.102.47 "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>
>>
>>Luckily I'm not running NT.  I suppose a better idea would be to block 
>>this address from iptables.  Any hints on how to do either of these things?
>>
>>Another question:  I get the /default.ida (Code Red II virus) requests a 
>>lot but from far too many different ips to making blocking the addresses 
>>a solution.  I was returning my 404 page at about 250 bytes each time so 
>>I just made a 0 length default.ida, not 0 bytes get returned.  However I 
>>can't do that in this case, anyway to tell apache to return 0 bytes when 
>>somethings looks for, say, the /scripts dir (which I don't have/need).
>>
>>TIA
>>Michael
>
>Mike.
>
>You're seeing code red and/or nimba (from ages ago) hits from machines 
>that are *still* infected.
>
>To deal with these things, I have the following in my httpd.conf:
>
># Redirect Code Red, NIMDA and other inappropriate access attempts to 
>invalid URL
>Redirect /_mem_bin http://www.request.invalid
>Redirect /_vti_bin http://www.request.invalid
>Redirect /c http://www.request.invalid
>Redirect /d http://www.request.invalid
>Redirect /msadc http://www.request.invalid
>Redirect /MSADC http://www.request.invalid
>Redirect /scripts http://www.request.invalid
>Redirect /sumthin http://www.request.invalid
>RedirectMatch ^.*\.(dll|ida)*$ http://127.0.0.1/$1
>RedirectMatch (.*)\cmd.exe$ http://127.0.0.1/$1
>
>Put those in your httpd.conf file (assuming you have access to your box 
>and assuming the machine isn't a windoze web server) and then restart apache.
>
>HTH.
>-mike
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org

Daniel Wilson
Bayesian Edge Technology & Solutions
17260 Gum Landing Road
St. Inigoes Maryland  20684
(301)-872-0230 Phone
(301)-872-0233 Fax
www.bayesianedge.com  
Mime
View raw message