Hi,mod_security is interesting, it definitely looks like the right idea for this guy's situation, but it is kind of funny in a way, if you need mod_security you are already somewhat screwed, but it is nice to have around.. :)
Eric At 07:32 AM 12/20/2005, Joshua Slive wrote:
On 12/19/05, Ed Sawicki <ed@xxxxxxxxxxxx> wrote:> I'm administering an
Apache server that runs PHP-based> Webapps that I have not written and
cannot change. These> Webapps are being successfully attacked. Here's an>
example from the log:>> 66.57.121.127 - - [19/Dec/2005:19:50:46 -0800]
"GET> /phplive/image_tracker.php?l=Bob&x=1&deptid=0&page=>
http%3A//www.pcbpro.com/pcb-quote.php%3FWT.mc_id%3D>
psepi00003%26referrer%3Dhttp%253a%252f%252fz-quest.com>
%252fgo.php%253fidUser%253d36%2526z%253dasaphczzhihd>
%2526idXmlFeed%253d37%2526idKeyword%253d145%2526>
idSearchStatus%253d2%2526st%253d%2526url%253duggc>
%253a%252f%252fgkpyvpx.rcvybg.pbz%252fpyvpx.nfck>
%2540aoavhy%2540x%253dryrpgebavpf%2540aoaphy%2540o>
%253d700%2540aoaphy%2540c%253drcvybg%2540aoaphy>
%2540f%253dmdhrfgz%2540aoaphy%2540cbf%253d1%2540aoaphy>
%2540g%253d24%2540aoaphy%2540xvq%253dQP8N5Q43-Q517-40O0->
87Q9-P281S6QN0458%2540aoaphy%2540rc%253d255%2540aoaphy>
%2540fvq%253d815O3P57-3PS6-41S0-80S9-N79084865R39%2540>
aoaphy%2540y%253duggc%253a%2540aoamhy%25402S%2540aoamhy>
%25402Sjjj.cpoceb.pbz%2540aoamhy%25402Scpo-dhbgr.cuc>
%2540aoamhy%25403SJG.zp_vq%253dcfrcv00003%2526ts>
%253danaihxzszxhdzahczmzh%2526rb%253daaaphfhpzf>
%2526is%253d66%25252E57%25252E121%25252E127%2526>
idDomain%253d0&unique=1135050643687 HTTP/1.1" 200 43>> In this example,
I'd like to detect the string "go.php"> and redirect the request
elsewhere. I've tried to> use RedirectMatch but nothing I've tried works.>
Here's just one example of the many, many statements> I've tried:>>
RedirectMatch 301 (.*)go\.php http://127.0.0.1>> This is Apache
2.0.46 with mod_alias loaded.
Ouch. Very old apache version with very vulnerable php apps. Youseem to
be in a very bad situation.
Anyway, the mod_alias directives cannot act on the query string (thepart
after the ?). If you need that, you can do something like
RewriteEngine OnRewriteCond %{QUERY_STRING} go\.phpRewriteRule .* - [F]
You can also look at mod_security (external module).
Joshua.
Eric Frazier CTO DM Contact Management 611-201 Discovery St. Victoria BC Canada office (250) 383-8267 ext 229 cell (250) 514-2889 eric@xxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|