how to prevent from hacker?


I have "Apache 1.3.20" running on a W2K Professional (with the latest updates and patches). There also is a firewall with only port 80 open.

For some days I recognice some hacking-attempts in the Apache-logfiles. They look like that:

[07/Mar/2002:05:42:56 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:00 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:06 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:10 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0"

or like that:

[09/Mar/2002:00:50:31 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20iwtrdhdadvfywmscucw/../../index.html%3fmrsxhilfr...(very long url)
[09/Mar/2002:00:50:31 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20xphpmlcsnnuwdujjuu/../../index.html%3fehejlygttu...(very long url)
[09/Mar/2002:00:50:32 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20goybttoeilhqsmcd/../../index.html%3fsnvllphwrlwi...(very long url)
[09/Mar/2002:00:50:34 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20xeifqclittjisuajdfg/../../index.html%3ftppyjwryf...(very long url)
[09/Mar/2002:00:50:35 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20pwvrmurzqtf/../../index.html%3fvvjpeixwvq=/../is...(very long url)

It seems like a tool (regarding the short timeintervals).
I know, that Apache 1.3.20 is resistant against these kinds of "hacking", but it really nerves (floods my logs)!

What could I do?

Is it usefull to redirekt such requests? Could I block a user making such requests for - lets say - 1 hour?

I'm thankful for every advice!

Thanks in advance, Panther
Who is Participating?
samriConnect With a Mentor Commented:
One possibility to block such request is to use <Location> Directive.  Decide on where to apply the Directive (global or virtualhost), and add the following code;

<Location /*exe>
  Deny from all

Infact,  if you look in httpd.conf, you might find this config segment.  You can tailor to your need.

# There have been reports of people trying to abuse an old bug from pre-1.1
# days.  This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on  Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#<Location /cgi-bin/phf*>
#    Deny from all
#    ErrorDocument 403

pantherchenAuthor Commented:
I think, thats what i need; I'll try (could take some days :)!

Could I use the % in this directive too?
Or combine it in that way:

<Location /*(%|exe)*>
 Deny from all

I could not confirm that, I think *.exe should be sufficient since /*.exe already took care of %.   I think the directive should be able to accept regex format (regular expression).

Test it out first, and you can further refine the regex.
pantherchenAuthor Commented:
ok, played a bit with it, and it works :)
All Courses

From novice to tech pro — start learning today.