NeBaut.net
The Corner Shop

mod_rewrite, mod_alias y mod_setenvif

~# cat /etc/apache/conf.d/redirect.conf
<IfModule mod_alias.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)default.ida(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSOffice\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)awstats(.*)$ http://www.fbi.gov
RedirectMatch permanent (.*)(phpmyadmin|phpMyAdmin)(.*)$ http://www.fbi.gov
RedirectMatch permanent (.*)(amember|payment|linkpoint)(.*)$ http://www.fbi.gov
RedirectMatch permanent (.*)(c99.|r57.)(.*)$ http://www.fbi.gov
RedirectMatch permanent (.*)(xmlrpc.php|firmwarecfg)$ http://www.fbi.gov
RedirectMatch permanent (.*)(main.php|readdump.phpmain.php|cmd.php)$ http://www.fbi.gov
RedirectMatch permanent ^/horde(.*)$ http://www.fbi.gov
RedirectMatch permanent (.*)mail\/\/README$ http://www.fbi.gov
RedirectMatch permanent (.*)\/chat\/(.*)$ http://www.fbi.gov

</IfModule>

SetEnvIf Request_URI (.*)cmd.exe(.*)$ attack
SetEnvIf Request_URI (.*)root.exe(.*)$ attack
SetEnvIf Request_URI (.*)default.ida(.*)$ attack
SetEnvIf Request_URI (.*)\/_vti_(.*)$ attack
SetEnvIf Request_URI (.*)\/scripts\/(.*)$ attack
SetEnvIf Request_URI (.*)\/_mem_bin\/(.*)$ attack
SetEnvIf Request_URI (.*)\/msadc\/(.*)$ attack
SetEnvIf Request_URI (.*)\/MSADC\/(.*)$ attack
SetEnvIf Request_URI (.*)\/c\/winnt\/(.*)$ attack
SetEnvIf Request_URI (.*)\/d\/winnt\/(.*)$ attack
SetEnvIf Request_URI (.*)\/x90\/(.*)$ attack
SetEnvIf Request_URI (.*)awstats(.*)$ attack
SetEnvIf Request_URI (.*)(phpmyadmin|phpMyAdmin)(.*)$ attack
SetEnvIf Request_URI (.*)(amember|payment|linkpoint)(.*)$ attack
SetEnvIf Request_URI (.*)(c99.|r57.)(.*)$ attack
SetEnvIf Request_URI (.*)(xmlrpc.php|firmwarecfg)$ attack
SetEnvIf Request_URI (.*)(main.php|readdump.phpmain.php|cmd.php)$ attack
SetEnvIf Request_URI ^/horde(.*)$ attack
SetEnvIf Request_URI (.*)mail\/\/README$ attack
SetEnvIf Request_URI (.*)\/chat\/(.*)$ attack
SetEnvIf User-Agent (.*)(libwww-perl|libwwwperl|curl|nikto|morfeus|pxyscand)(.*)$ attack
SetEnvIf Request_Method "(TRACE|DELETE|HEAD|SEARCH|CONNECT|OPTIONS)" attack


y en los vhost
...
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^(.*)(libwww-perl|libwwwperl|curl|nikto|morfeus|pxyscand)(.*) [NC,OR]
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|HEAD|SEARCH|CONNECT|OPTIONS) [NC]
RewriteRule .* http://www.fbi.gov [L,R=301]
ErrorLog /var/log/apache/error.log
CustomLog /var/log/apache/access.log combined env=!attack
CustomLog /var/log/apache/attacks.log combined env=attack


mod_rewrite, mod_alias y mod_setenvif

Aule 7:16 PM el 17 de Febrero 2008 |