Denying Hackers

Fix it!!

Denying Hackers

Postby Dave Koch » Wed Aug 14, 2002 7:51 pm


Viewing my log files, I see a LOT of hacking attempts. Wimpy attempts, to be sure, but like a lot of you, it is a pi**-off.

So I started messing around, and came up with this. Thought I'd bounce it off you guys, and see what you think!

RewriteEngine on
RewriteRule ^/(scripts|MSADC|_vti_bin|_vti_bin|cgi-bin|MSOffice)/(.+)$ - [NC,L]
RewriteRule ^(.*)/system32/(.*)$ - [NC,L]
RewriteRule \.(ida)(.*)$ - [NC,L]

I just looked at a bunch of the different accesses, found comon denominators, and just tried to match those as best as possible.

Please, make changes, let me know!

Dave Koch

Denying hackers

Postby Jonas_E_SE » Wed May 28, 2003 4:06 am

Personally I use the stuff below, in a reverse-proxy server. It works well and stops a majority of the expolits I've seen. Takes loads of the actual webs ervers as well as it's in the proxy.

RewriteEngine On
RewriteOptions inherit
RewriteLog logs/rewrite_log

RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system32/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system32/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/cmd\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/scripts/root.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadc/root\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\\\.\.(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/admin\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadcs\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/ext\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/\.(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/php\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\<(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\>(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\|(.*) [OR]
RewriteCond %{REQUEST_URI} (.{255,}) [OR]
RewriteCond %{QUERY_STRING} (.{127,}) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x00-\x1f]+ [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x7f|\xff]+
RewriteRule (.*) [NC,F]

As you can see it returns a forbidden answer for a whole bunch of stuff.
Posts: 1
Joined: Wed May 28, 2003 4:02 am

Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 5 guests
