httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Streeter <mstreet...@gmail.com>
Subject Re: [users@httpd] RewriteCond help
Date Fri, 16 May 2014 15:57:03 GMT
On 5/12/2014 8:51 AM, Cabell, Jeff wrote:
>
> We’ve noticed attempted injection attacks on one of our servers and 
> even though the virus scanners are halting the execution of the 
> malicious code, there is still a level of penetration that we are 
> trying to stop.
>
> Can anyone give me an idea why this url is not triggering the Rewrite 
> rule below?
>
> The intent is to redirect any url containing references to cmd.exe, 
> ftp.exe <ftp://ftp.exe>, any .bat file, or anything with a SQL Query 
> embedded back to just pull up the site’s homepage.
>
> (Note : it is not the actual attack URL, but one that was modified to 
> generate a harmless file, but still mimic the attack method)
>
> https://*[IP* 
> <https://[IP>*redacted]*/appname/disabilityInfo.action?redirect:$%7b(new+java.lang.ProcessBuilder(new+java.lang.String%5b%5d%7b%27cmd.exe%27%2C%20%27%2Fd%20%2Fc%20md%20rewritetest%26cd%20rewritetest%26del%20*.*%20%2Ff%20%2Fs%20%2Fq%26echo%20bartsimpson.eat.my.shorts%20%3Ej%26echo%20homer%20%3E%3Ej%26echo%20mmmdoughnuts%20%3E%3Ej%26echo%20mget%20*.exe%20%3E%3Ej%26echo%20bye%20%3E%3Ej%26echo%20for%20%25%25i%20in%20(*.exe)%20do%20start%20%25%25i%20%3ED.bat%26echo%20for%20%25%25i%20in%20(*.exe)%20do%20%25%25i%20%3E%3ED.bat%26echo%20del%20%2Ff%20%2Fq%20%250%25%20%3E%3ED.bat%26D.bat%27%7D)).start()%7D
>
> RewriteCond %{QUERY_STRING} 
> .*(java\.lang|FTP\.exe|cmd\.exe|\.bat|\.exe|insert|delete|set|declare|drop|update).*

> [NC]
>
> RewriteRule ^(.*)$ https://*[IP* <https://[IP>*redacted]*/ [F,L]
>
> Any help would be greatly appreciated.
>
> *Jeff Cabell*
>
> *Applications Administrator*
>
As far as I can tell, your RewriteCond is triggering the RewriteRule as 
intended. But you mention that you'd like to redirect to the home page. 
If so, try something like this for the RewriteRule line:

RewriteRule ^(.*)$ https://*[IP* <https://[IP>*redacted]*/? [R,L]

The F flag was changed to an R to make it redirect rather than fail with 
a 403 error. A ? was added after the rewrite URL to get rid of the query 
string.

Hope that helps.

References:
http://rewritetester.com/ Tested your rules here (Full disclosure: This 
is my site)
http://stackoverflow.com/questions/3457022/mod-rewrite-remove-query-string-from-url
http://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_f

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message