Redirect Matching Question

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Redirect Matching Question

Jack Stone
Hello,

I have this in my httpd.conf (apache-ver-1.3x on FBSD)
RedirectMatch ^.*\.(dll|ida)*$ http://127.0.0.1/$1

I have been using the redirect above, but I've noticed it doesn't catch the
numerous annoying requests below:

"GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 302 639 "-" "-"

How may I modify my Redirect to catch the above? I know it's just a matter
of better regex, but I need to exercise care out of my ignorance.

Thanks for any tips!

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Redirect Matching Question

Mike-2
Use Rewrite rule:

RewriteEngine on
RewriteRule .*cmd.exe.* http://to_where_you-want


Mike



Jack Stone said the following on 29-04-2005 14:05:

> Hello,
>
> I have this in my httpd.conf (apache-ver-1.3x on FBSD)
> RedirectMatch ^.*\.(dll|ida)*$ http://127.0.0.1/$1
>
> I have been using the redirect above, but I've noticed it doesn't catch the
> numerous annoying requests below:
>
> "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 302 639 "-" "-"
>
> How may I modify my Redirect to catch the above? I know it's just a matter
> of better regex, but I need to exercise care out of my ignorance.
>
> Thanks for any tips!
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [hidden email]
>    "   from the digest: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

=================================
Este Sistema executa REVERSE DNS LOOKUP em HELO/EHLO DOMAIN.
Esteja certo de enviar email via Dominio Real.


==================================

Listas via WEB/Email simult?neamente
"Poemas - Poesias - De bem com a vida" - Gosta de romantismo ?
"Firefox" - Tudo a respeito deste excelente browser
"Thunderbird" - Melhor que tudo. Melhor que o Outlook
"Est?rias interativas" - Crie sua est?ria e os outros continuam
"Tudo sobre Sexo - Amor - D?vidas - Dicas em relacionamentos"
http://www.netforum.com.br/gust/index.php


Est? procurando / Ofertando emprego ?
Envie email para [hidden email]
No assunto ponha: SUBSCRIBE VAGAS
Siga as instru??es, e ap?s isto para enviar mensagem
para a lista envie para: [hidden email]

Este email passou por www.netforum.com.br e submetido
a rigoroso teste de anti-virus e ? 100% livre de SPAM.

Se voc? est? procurando relacionamentos, n?o deixe de
visitar: http://www.netforum.com.br
Quem sabe voc? encontra um bom relacionamento.

Quer ter seu FotoBlog Pessoal ? Crie seu ?lbum P?blico
ou Privativo. Deixe os outros verem e comentarem.
Igual a este voc? nunca viu !!
http://www.netforum.com.br http://www.marulo.net


Gosta de imagens? Visite a galeria de imagens
em 3D. Voc? pode enviar postais, comentar, votar e fazer
downloads.

http://www.netforum.com.br



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Redirect Matching Question

linux4michelle
Am 2005-04-29 14:09:26, schrieb Mike:
> Use Rewrite rule:
>
> RewriteEngine on
> RewriteRule .*cmd.exe.* http://to_where_you-want

RewriteRule .*cmd.exe.* http://www.microsoft.com

:-P

> Mike

Bisous
Michelle

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917                  ICQ #294147850
                   50, rue de Soultz         MSM MichelleAC
0033/3/88452356    67100 Strasbourg/France   IRC #Marrakech (irc.icq.com)

signature.pgp (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Redirect Matching Question

Joshua Slive
In reply to this post by Jack Stone
On 4/29/05, Jack Stone <[hidden email]> wrote:

> Hello,
>
> I have this in my httpd.conf (apache-ver-1.3x on FBSD)
> RedirectMatch ^.*\.(dll|ida)*$ http://127.0.0.1/$1
>
> I have been using the redirect above, but I've noticed it doesn't catch the
> numerous annoying requests below:
>
> "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 302 639 "-" "-"
>
> How may I modify my Redirect to catch the above? I know it's just a matter
> of better regex, but I need to exercise care out of my ignorance.

In fact, it does seem to be catching the request.  Notice the "302"
status code which indicates a redirect.

Overall, you're wasting your time.  Worms *do not* follow redirects.
The best a redirect could do is keep this request out of your error
log.  But good admins want to see this information in their error log.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Redirect Matching Question

linux4michelle
Am 2005-04-29 13:39:46, schrieb Joshua Slive:
> On 4/29/05, Jack Stone <[hidden email]> wrote:

> In fact, it does seem to be catching the request.  Notice the "302"
> status code which indicates a redirect.
>
> Overall, you're wasting your time.  Worms *do not* follow redirects.
> The best a redirect could do is keep this request out of your error
> log.  But good admins want to see this information in their error log.

But because I have severalt 1000 daily which let my logs explode, I have
greate a file in the Web-Root "default.ida" because this is not a WORW
it is a FileSharing-Tool.

Now the request do not more produce 600 Bytes bytes but only  150 Bytes.

> Joshua.

Bisous
Michelle

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917                  ICQ #294147850
                   50, rue de Soultz         MSM MichelleAC
0033/3/88452356    67100 Strasbourg/France   IRC #Marrakech (irc.icq.com)

signature.pgp (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Re: Redirect Matching Question

Jack Stone
>From: Michelle Konzack <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: [users@httpd] Re: Redirect Matching Question
>Date: Fri, 29 Apr 2005 19:59:49 +0200
>
>Am 2005-04-29 13:39:46, schrieb Joshua Slive:
> > On 4/29/05, Jack Stone <[hidden email]> wrote:
>
> > In fact, it does seem to be catching the request.  Notice the "302"
> > status code which indicates a redirect.
> >
> > Overall, you're wasting your time.  Worms *do not* follow redirects.
> > The best a redirect could do is keep this request out of your error
> > log.  But good admins want to see this information in their error log.
>
>But because I have severalt 1000 daily which let my logs explode, I have
>greate a file in the Web-Root "default.ida" because this is not a WORW
>it is a FileSharing-Tool.
>
>Now the request do not more produce 600 Bytes bytes but only  150 Bytes.
>
>
>Bisous
>Michelle
>

Now THAT sounds like a good idea..... thanks!

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Re: Redirect Matching Question

Kevin O'Neil

----- Original Message -----
From: "Jack Stone" <[hidden email]>
To: <[hidden email]>
Sent: Friday, April 29, 2005 2:25 PM
Subject: RE: [users@httpd] Re: Redirect Matching Question


> >From: Michelle Konzack <[hidden email]>
>>Reply-To: [hidden email]
>>To: [hidden email]
>>Subject: [users@httpd] Re: Redirect Matching Question
>>Date: Fri, 29 Apr 2005 19:59:49 +0200
>>
>>Am 2005-04-29 13:39:46, schrieb Joshua Slive:
>> > On 4/29/05, Jack Stone <[hidden email]> wrote:
>>
>> > In fact, it does seem to be catching the request.  Notice the "302"
>> > status code which indicates a redirect.
>> >
>> > Overall, you're wasting your time.  Worms *do not* follow redirects.
>> > The best a redirect could do is keep this request out of your error
>> > log.  But good admins want to see this information in their error log.
>>
>>But because I have severalt 1000 daily which let my logs explode, I have
>>greate a file in the Web-Root "default.ida" because this is not a WORW
>>it is a FileSharing-Tool.
>>
>>Now the request do not more produce 600 Bytes bytes but only  150 Bytes.
>>
>>
>>Bisous
>>Michelle
>>
>
> Now THAT sounds like a good idea..... thanks!
>

I also created a file default.ida and my logs aren't as hectic. I also
created blank files for most frontpage files for the worms that search for
those. It did stop most of the 302 and 404 errors produced by the worms. If
this is incorrect and should be changed, please let me know.
Thanks,
Kevin



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Re: Redirect Matching Question

Jack Stone
>From: "Kevin O'Neil" <[hidden email]>
>Reply-To: "Kevin O'Neil" <[hidden email]>
>To: <[hidden email]>
>Subject: Re: [users@httpd] Re: Redirect Matching Question
>Date: Fri, 29 Apr 2005 14:36:17 -0400
>
>
>----- Original Message ----- From: "Jack Stone" <[hidden email]>
>To: <[hidden email]>
>Sent: Friday, April 29, 2005 2:25 PM
>Subject: RE: [users@httpd] Re: Redirect Matching Question
>
>
>> >From: Michelle Konzack <[hidden email]>
>>>Reply-To: [hidden email]
>>>To: [hidden email]
>>>Subject: [users@httpd] Re: Redirect Matching Question
>>>Date: Fri, 29 Apr 2005 19:59:49 +0200
>>>
>>>Am 2005-04-29 13:39:46, schrieb Joshua Slive:
>>> > On 4/29/05, Jack Stone <[hidden email]> wrote:
>>>
>>> > In fact, it does seem to be catching the request.  Notice the "302"
>>> > status code which indicates a redirect.
>>> >
>>> > Overall, you're wasting your time.  Worms *do not* follow redirects.
>>> > The best a redirect could do is keep this request out of your error
>>> > log.  But good admins want to see this information in their error log.
>>>
>>>But because I have severalt 1000 daily which let my logs explode, I have
>>>greate a file in the Web-Root "default.ida" because this is not a WORW
>>>it is a FileSharing-Tool.
>>>
>>>Now the request do not more produce 600 Bytes bytes but only  150 Bytes.
>>>
>>>
>>>Bisous
>>>Michelle
>>>
>>
>>Now THAT sounds like a good idea..... thanks!
>>
>
>I also created a file default.ida and my logs aren't as hectic. I also
>created blank files for most frontpage files for the worms that search for
>those. It did stop most of the 302 and 404 errors produced by the worms. If
>this is incorrect and should be changed, please let me know.
>Thanks,
>Kevin
>

Yes, I use an almost blank page and now the request is only 26 bytes...
Best.
Jack

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Re: Redirect Matching Question

Jack Stone
In reply to this post by Jack Stone


>From: "Jack Stone" <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: RE: [users@httpd] Re: Redirect Matching Question
>Date: Fri, 29 Apr 2005 13:25:36 -0500
>
>>From: Michelle Konzack <[hidden email]>
>>Reply-To: [hidden email]
>>To: [hidden email]
>>Subject: [users@httpd] Re: Redirect Matching Question
>>Date: Fri, 29 Apr 2005 19:59:49 +0200
>>
>>Am 2005-04-29 13:39:46, schrieb Joshua Slive:
>> > On 4/29/05, Jack Stone <[hidden email]> wrote:
>>
>> > In fact, it does seem to be catching the request.  Notice the "302"
>> > status code which indicates a redirect.
>> >
>> > Overall, you're wasting your time.  Worms *do not* follow redirects.
>> > The best a redirect could do is keep this request out of your error
>> > log.  But good admins want to see this information in their error log.
>>

I'm now wondering if we did see a "worm" attempt, what would we do about it?
I do run stats and never see any useful info about worms. I agree that we
need to know things that are real threats -- and if we can do anything (yes,
it's what you don't know that can hurt you) --  but these annoying ones that
just fill up logs are just a waste all around IMHO.

FBSD-4.11/Apache1.3.33


>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today - it's FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: [hidden email]
>   "   from the digest: [hidden email]
>For additional commands, e-mail: [hidden email]
>

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]