Apache question.. Rejecting hackers more vehemently?

Apache question.. Rejecting hackers more vehemently?

Post by Damon Ra » Mon, 09 Dec 2002 00:03:47



Hi there,
  I'm tired of hackers filling my logs with stupid messages..

80.32.144.43 - - [04/Dec/2002:18:46:46 +0000] "HEAD
/_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -

So I added a default virtual host.. Only name-based requests with
valid host headers now reach a legitimate virtual host..

<VirtualHost *>
    # Unassigned hosts are rejected..
    RedirectMatch 404 (.*)
</VirtualHost>

But this is still returning to much information for my liking..

HTTP/1.1 404 Not Found
Date: Sat, 07 Dec 2002 14:57:36 GMT
Server: Apache/2.0.43 (Win32) DAV/2 SVN/0.15.0 (r3687)
Content-Length: 283
Connection: close
Content-Type: text/html; charset=iso-8859-1

How do I surpress the 'Server' header, or better yet drop these
requests altogether??

Regards,
Damon.

 
 
 

Apache question.. Rejecting hackers more vehemently?

Post by AndrĂ© Mal » Mon, 09 Dec 2002 00:27:08



>   I'm tired of hackers filling my logs with stupid messages..

you may use the capabilities of CustomLog...

Quote:> HTTP/1.1 404 Not Found
> Date: Sat, 07 Dec 2002 14:57:36 GMT
> Server: Apache/2.0.43 (Win32) DAV/2 SVN/0.15.0 (r3687)
> Content-Length: 283
> Connection: close
> Content-Type: text/html; charset=iso-8859-1

> How do I surpress the 'Server' header,

you can't (without running a proxy or patching the server).
You may reduce the information using the ServerTokens directive.

Quote:> or better yet drop these
> requests altogether??

You can't, since you are not issuing the requests.

nd
--
$_=q?tvc!uif)%*|#Bopuifs!A`#~tvc!Xibu)%*|qsjou#Kvtu!A`#~tvc!KBQI!)*|~

$_)-1)}split//=>$_[0]).$_[1];s s.*s$_see;  #  http://www.perlig.de/ ;

 
 
 

Apache question.. Rejecting hackers more vehemently?

Post by <sebasti.. » Mon, 09 Dec 2002 06:41:38


Have it redirect to 127.0.0.1 instead; this also avoids getting your error
log filled up with these requests.

This is what I use in my server config for those types of attacks

RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
RedirectMatch (.*)\root.exe$ http://127.0.0.1
RedirectMatch (.*)\default.ida$ http://127.0.0.1
RedirectMatch (.*)\.asp$ http://127.0.0.1
RedirectMatch (.*)\.dll$ http://127.0.0.1

Seb


Quote:> Hi there,
>   I'm tired of hackers filling my logs with stupid messages..

> 80.32.144.43 - - [04/Dec/2002:18:46:46 +0000] "HEAD
> /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -

> So I added a default virtual host.. Only name-based requests with
> valid host headers now reach a legitimate virtual host..

> <VirtualHost *>
>     # Unassigned hosts are rejected..
>     RedirectMatch 404 (.*)
> </VirtualHost>

> But this is still returning to much information for my liking..

> HTTP/1.1 404 Not Found
> Date: Sat, 07 Dec 2002 14:57:36 GMT
> Server: Apache/2.0.43 (Win32) DAV/2 SVN/0.15.0 (r3687)
> Content-Length: 283
> Connection: close
> Content-Type: text/html; charset=iso-8859-1

> How do I surpress the 'Server' header, or better yet drop these
> requests altogether??

> Regards,
> Damon.

 
 
 

Apache question.. Rejecting hackers more vehemently?

Post by John Oliv » Mon, 09 Dec 2002 09:23:15



> Have it redirect to 127.0.0.1 instead; this also avoids getting your error
> log filled up with these requests.

> This is what I use in my server config for those types of attacks

> RedirectMatch (.*)\cmd.exe$ http://127.0.0.1
> RedirectMatch (.*)\root.exe$ http://127.0.0.1
> RedirectMatch (.*)\default.ida$ http://127.0.0.1
> RedirectMatch (.*)\.asp$ http://127.0.0.1
> RedirectMatch (.*)\.dll$ http://127.0.0.1

Better still, use Jay Dyson's Early Bird so that these lame scripted
attempts will be automagically LARTed... :-)

--
John Oliver, CCNA                            http://www.john-oliver.net/
Linux/UNIX/network consulting         http://www.john-oliver.net/resume/
***               sendmail, Apache, ftp, DNS, spam filtering         ***
****                Colocation, T1s, web/email/ftp hosting          ****

 
 
 

1. perl-hacker != c hacker.. Perl5a8+ binary wanted

I may be a perl hacker, but I'm not a c hacker.  And as such, I've
been unable to get perl5a8 to compile, notwithstanding the sexy
new config scripts.  Could someone upload a linux binary,
dynamically linked, to sunsite or tsx or some other publicly-
available archive site?

[p.s.: I know that there's going to be a lot of other required
stuff, like libdld, and libdbm, but hey, just mention it and
leave it to the alpha hackers to straighten out the rest.]


2. Samba problem...

3. Apache rejects www??

4. XFree86 4.0.1 on Diamond Stealth III 540 (Savage2000)

5. I'm begging for help: multipart/form-data request rejected by Apache

6. Problem with conflicting LDAP libraries.

7. Apache hacked - Hackers put mails via invalid URL

8. Booting Linux from 3rd physical drive

9. Apache VH hackers

10. Possible hacker attempts perhaps to see if Apache will act as Anonymizer?

11. Apache hacker problem

12. Metro-X Question: (client 3 rejected from local host)

13. tcsh question: "complete" rejects long arg list