On Tue, 10 Aug 2004 23:22:47 -0500
Tom Marble <tmarble at info9.net> wrote:

<snip>

> RedirectMatch permanent ^/\x90 http://www.microsoft.com/

Does this one actually work?  I just got another one of these buggers in my logs.  

With a tip from a TCPHP member I changed things to a more elegant:

SetEnvIf Request_URI "/system32" exploit=1
SetEnvIf Request_URI "(.*)\.dll(.*)" exploit=1
SetEnvIf Request_URI "/cmd\.exe" exploit=1
SetEnvIf Request_URI "/root\.exe" exploit=1
SetEnvIf Request_URI "/shell\.exe" exploit=1
SetEnvIf Request_URI "/default\.ida" exploit=1
SetEnvIf Request_URI "/c/winnt" exploit=1
SetEnvIf Request_URI "/d/winnt" exploit=1
SetEnvIf Request_URI "/msadc" exploit=1
SetEnvIf Request_URI "/MSADC" exploit=1
SetEnvIf Request_URI "/_vti_bin" exploit=1
SetEnvIf Request_URI "/_mem_bin" exploit=1
SetEnvIf Request_URI "/scripts" exploit=1
SetEnvIf Request_URI "^/\x90" exploit=1

CustomLog /var/log/apache/access_log combined env=!exploit
CustomLog /var/log/apache/ms_attack_log combined env=exploit 

RewriteCond %{ENV:exploit} 1
RewriteRule .* http://support.microsoft.com/ [R=permanent]

Seems to catch everything except that huge \x90 thing, here's an excerpt:

24.203.61.31 - - [11/Aug/2004:13:48:04 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1.....

Is it because it comes in on SEARCH?  Or should the match be: "^/\\x90"

I also tried this from a google search: 

SetEnvIfNoCase Request_URI "\/\x90\x02" exploit=1

But that doesn't seem to catch it either.

And yeah, I'll probably change that to something other than support.microsoft.com once I'm done testing.  :)

Josh



_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list