httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John <nave...@yahoo.com.sg>
Subject Re: [users@httpd] Sanity A worm and apache
Date Tue, 25 Jan 2005 17:38:12 GMT
I believe these bugs does not affect windows right?

>I run a few instances of phpBB under Apache 1.x, running as the default
>Apache install under OS X client 10.3.7
>
>Several of my forums are getting hit with this type of thing:
>forums.example.com 216.237.49.226 - - [24/Jan/2005:20:22:53 -0800] "GET
>/viewtopic.php?t=6852&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Ec
>hr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Ech
>r(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Ec
>hr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr
>(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr
>(34))%252E%2527 HTTP/1.0" 302 716 "-" "Mozilla/4.0"
>
>Someone on the phpBB forums came up with this for a .htaccess file:
>RewriteEngine On 
>
># prevent access from sanity webworm a-e
>RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
>RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
>RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
>RewriteCond %{QUERY_STRING} ^(.*)wget\%20
>RewriteRule ^.*$ http://127.0.0.1/ [R,L]
>
># prevent pre php 4.3.10 bug
>RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
>RewriteRule ^.*$ http://127.0.0.1/ [R,L]
>
># prevent perl user agent (most often used by santy)
>RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC]
>RewriteRule ^.*$ http://127.0.0.1/ [R,L]
>
>
>This is working, I no longer see 1000+ guest users on the forums, but I can
>not wonder if there is a better way. I think SetEnvIfNoCase is the better
>way, and I think I want it in the httpd.conf file so I need not worry about
>applying this new rule to all the sites, it can act on a global basis.
>
>The problem I have with the above is it still logs all those requests to my
>access_log, which is making a mess of things and the logs are growing much
>too fast, not to mention it is blowing out my stats on the logs as well and
>artificially inflating requests to one file.
>
>
>Is it possible to convert the above to SetEnvIfNoCase, and send those
>matches to a new log file so they do not muddy the main combined log I have
>in place.  Is it then possible to deny based on that new rule and send those
>deny logs to some other file as well?
>
>I am starting to think this can be done somewhat like this:
><directory />
>    order allow,deny
>    allow from all
>    deny from env=sanityworm
></directory>
>
>Then, I need my regex matching:
>SetEnvIfNoCase ??????? "regex here" sanityworm
>
>What I can not find out, what are all the options of the second part of
>SetEnvIfNoCase, is QUERY_STRING part of those option, as well as the others
>listed above?  I just don't know how to convert the rewrite rules above to
>fit into this new scenario, assuming it is the correct way to accomplish
>this. 
>
>Then there is the logging side of this, which I have no idea how to make
>happen.  Thanks for any and all help in this.
>
>
>  
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message