On Tue, 10 Aug 2004 23:22:47 -0500 Tom Marble <tmarble at info9.net> wrote: <snip> > RedirectMatch permanent ^/\x90 http://www.microsoft.com/ Does this one actually work? I just got another one of these buggers in my logs. With a tip from a TCPHP member I changed things to a more elegant: SetEnvIf Request_URI "/system32" exploit=1 SetEnvIf Request_URI "(.*)\.dll(.*)" exploit=1 SetEnvIf Request_URI "/cmd\.exe" exploit=1 SetEnvIf Request_URI "/root\.exe" exploit=1 SetEnvIf Request_URI "/shell\.exe" exploit=1 SetEnvIf Request_URI "/default\.ida" exploit=1 SetEnvIf Request_URI "/c/winnt" exploit=1 SetEnvIf Request_URI "/d/winnt" exploit=1 SetEnvIf Request_URI "/msadc" exploit=1 SetEnvIf Request_URI "/MSADC" exploit=1 SetEnvIf Request_URI "/_vti_bin" exploit=1 SetEnvIf Request_URI "/_mem_bin" exploit=1 SetEnvIf Request_URI "/scripts" exploit=1 SetEnvIf Request_URI "^/\x90" exploit=1 CustomLog /var/log/apache/access_log combined env=!exploit CustomLog /var/log/apache/ms_attack_log combined env=exploit RewriteCond %{ENV:exploit} 1 RewriteRule .* http://support.microsoft.com/ [R=permanent] Seems to catch everything except that huge \x90 thing, here's an excerpt: 24.203.61.31 - - [11/Aug/2004:13:48:04 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1..... Is it because it comes in on SEARCH? Or should the match be: "^/\\x90" I also tried this from a google search: SetEnvIfNoCase Request_URI "\/\x90\x02" exploit=1 But that doesn't seem to catch it either. And yeah, I'll probably change that to something other than support.microsoft.com once I'm done testing. :) Josh _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list