[TCLUG] [OT] Apache rewrite for MS BS

Fri Aug 13 10:17:39 CDT 2004

I ran one of the exploits to see the results. :)

Jeff Rasmussen

-----Original Message-----
From: Josh Trutwin [mailto:josh at trutwins.homeip.net]
Sent: Friday, August 13, 2004 10:07 AM
To: TCLUG Mailing List
Subject: Re: [TCLUG] [OT] Apache rewrite for MS BS

On Fri, 13 Aug 2004 09:16:02 -0500
Chad Walstrom <chewie at wookimus.net> wrote:

> Cute PHP script.  You know, this isn't exactly OT. ;-)  Anyway,
> since putting in log filtering, I've only seen 10 attempts on our
> machine. :-/ Not really exciting. ;-)

I'm waiting for another x90, seems more common in the evening hours.  If
that one gets caught too then I'm gonna move this onto a couple other boxes.
I'm sure none of these "LUS3R5" will ever see the results of that script,
but it's kinda funny anyway.  From this exercise I currently am testing the
following set of rules (apologies for any line breaks):

SetEnvIf Request_URI "(.*)command.com(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)COMMAND.COM(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)command.exe(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)COMMAND.EXE(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)default.ida(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)DEFAULT.IDA(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)cmd.exe(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)CMD.EXE(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)root.exe(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)ROOT.EXE(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)shell.exe(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)SHELL.EXE(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]_vti_bin[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]_VTI_BIN[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]winnt[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]WINNT[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]scripts[\\|\/]\.\.(.*)$ " exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]_mem_bin[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]_MEM_BIN[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]msadc[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]MSADC[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]x90[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]X90[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*).dll(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*).DLL(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)system32(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)SYSTEM32(.*)$" exploit=1 nolog

RedirectMatch permanent (.*)command.com(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=command.com"
RedirectMatch permanent (.*)COMMAND.COM(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=command.com"
RedirectMatch permanent (.*)command.exe(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=command.exe"
RedirectMatch permanent (.*)COMMAND.EXE(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=command.exe"
RedirectMatch permanent (.*)default.ida(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=default.ida"
RedirectMatch permanent (.*)DEFAULT.IDA(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=default.ida"
RedirectMatch permanent (.*)cmd.exe(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=cmd.exe"
RedirectMatch permanent (.*)CMD.EXE(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=cmd.exe"
RedirectMatch permanent (.*)root.exe(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=root.exe"
RedirectMatch permanent (.*)ROOT.EXE(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=root.exe"
RedirectMatch permanent (.*)shell.exe(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=shell.exe"
RedirectMatch permanent (.*)SHELL.EXE(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=shell.exe"
RedirectMatch permanent (.*)[\\|\/]_vti_bin[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=vtibin"
RedirectMatch permanent (.*)[\\|\/]_VTI_BIN[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=vtibin"
RedirectMatch permanent (.*)[\\|\/]winnt[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=winnt"
RedirectMatch permanent (.*)[\\|\/]WINNT[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=winnt"
RedirectMatch permanent (.*)[\\|\/]scripts[\\|\/]\.\.(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=scripts"
RedirectMatch permanent (.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=scripts"
RedirectMatch permanent (.*)[\\|\/]_mem_bin[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=membin"
RedirectMatch permanent (.*)[\\|\/]_MEM_BIN[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=membin"
RedirectMatch permanent (.*)[\\|\/]msadc[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=msadc"
RedirectMatch permanent (.*)[\\|\/]MSADC[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=msadc"
RedirectMatch permanent (.*)[\\|\/]x90[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=webdav+attack"
RedirectMatch permanent (.*)[\\|\/]X90[\\|\/](.*)$
"http://trutwins.homeip.net/goaway.php?cmd=webdav+attack"
RedirectMatch permanent (.*).dll(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=some+dll"
RedirectMatch permanent (.*).DLL(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=some+dll"
RedirectMatch permanent (.*)system32(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=some+system32"
RedirectMatch permanent (.*)SYSTEM32(.*)$
"http://trutwins.homeip.net/goaway.php?cmd=some+system32"

SetEnvIf Remote_Addr ^(127\.0\.0\.1|192\.168\.0\.) localreq nolog

CustomLog  /var/log/apache/trutwins.homeip.net/access_log combined
env=!nolog
CustomLog  /var/log/apache/trutwins.homeip.net/attack_log combined
env=exploit
CustomLog  /var/log/apache/trutwins.homeip.net/local_access_log combined
env=localreq

Josh

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list