Odd (alarming) http log exerpt
Duo
duo at digitalarcadia.net
Fri Jan 14 08:19:38 PST 2005
On Fri, 14 Jan 2005, Colin J. Raven wrote:
> I noticed something extremely odd this morning in my http access log.
> There's the usual activity, then suddenly this (about a hundred lines
> are snipped)
Yeah, someone is trying a M$ DAV exploit. I get these alot, along with
nimda attempts.
>
> Is there anything within...say httpd.conf..that I could do to prevent
> this..or curtail it before it grows to such an enormous size.
Why, yes there is! For the low low price of FREE, here is something you
can do for fun and giggles.
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>
This will redirect these lovely attacks back to Microsoft, the bearers of
these fine gifts in the first place. It's my fun way of giving back to
them, for all they have given to me...
Wasted diskspace from engorged logfiles, filled with this crap. =)
--
Duo
More information about the freebsd-questions
mailing list