On 12/19/05, Ed Sawicki <ed@xxxxxxxxxxxx> wrote:
> I'm administering an Apache server that runs PHP-based
> Webapps that I have not written and cannot change. These
> Webapps are being successfully attacked. Here's an
> example from the log:
>
> 66.57.121.127 - - [19/Dec/2005:19:50:46 -0800] "GET
> /phplive/image_tracker.php?l=Bob&x=1&deptid=0&page=
> http%3A//www.pcbpro.com/pcb-quote.php%3FWT.mc_id%3D
> psepi00003%26referrer%3Dhttp%253a%252f%252fz-quest.com
> %252fgo.php%253fidUser%253d36%2526z%253dasaphczzhihd
> %2526idXmlFeed%253d37%2526idKeyword%253d145%2526
> idSearchStatus%253d2%2526st%253d%2526url%253duggc
> %253a%252f%252fgkpyvpx.rcvybg.pbz%252fpyvpx.nfck
> %2540aoavhy%2540x%253dryrpgebavpf%2540aoaphy%2540o
> %253d700%2540aoaphy%2540c%253drcvybg%2540aoaphy
> %2540f%253dmdhrfgz%2540aoaphy%2540cbf%253d1%2540aoaphy
> %2540g%253d24%2540aoaphy%2540xvq%253dQP8N5Q43-Q517-40O0-
> 87Q9-P281S6QN0458%2540aoaphy%2540rc%253d255%2540aoaphy
> %2540fvq%253d815O3P57-3PS6-41S0-80S9-N79084865R39%2540
> aoaphy%2540y%253duggc%253a%2540aoamhy%25402S%2540aoamhy
> %25402Sjjj.cpoceb.pbz%2540aoamhy%25402Scpo-dhbgr.cuc
> %2540aoamhy%25403SJG.zp_vq%253dcfrcv00003%2526ts
> %253danaihxzszxhdzahczmzh%2526rb%253daaaphfhpzf
> %2526is%253d66%25252E57%25252E121%25252E127%2526
> idDomain%253d0&unique=1135050643687 HTTP/1.1" 200 43
>
> In this example, I'd like to detect the string "go.php"
> and redirect the request elsewhere. I've tried to
> use RedirectMatch but nothing I've tried works.
> Here's just one example of the many, many statements
> I've tried:
>
> RedirectMatch 301 (.*)go\.php http://127.0.0.1
>
> This is Apache 2.0.46 with mod_alias loaded.
Ouch. Very old apache version with very vulnerable php apps. You
seem to be in a very bad situation.
Anyway, the mod_alias directives cannot act on the query string (the
part after the ?). If you need that, you can do something like
RewriteEngine On
RewriteCond %{QUERY_STRING} go\.php
RewriteRule .* - [F]
You can also look at mod_security (external module).
Joshua.
|