Improve company productivity with a Business Account.Sign Up

x
?
Solved

how to prevent from hacker?

Posted on 2002-03-09
4
Medium Priority
?
314 Views
Last Modified: 2010-03-04
Hi!

I have "Apache 1.3.20" running on a W2K Professional (with the latest updates and patches). There also is a firewall with only port 80 open.

For some days I recognice some hacking-attempts in the Apache-logfiles. They look like that:

[07/Mar/2002:05:42:56 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:00 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:06 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:10 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0"

or like that:

[09/Mar/2002:00:50:31 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20iwtrdhdadvfywmscucw/../../index.html%3fmrsxhilfr...(very long url)
[09/Mar/2002:00:50:31 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20xphpmlcsnnuwdujjuu/../../index.html%3fehejlygttu...(very long url)
[09/Mar/2002:00:50:32 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20goybttoeilhqsmcd/../../index.html%3fsnvllphwrlwi...(very long url)
[09/Mar/2002:00:50:34 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20xeifqclittjisuajdfg/../../index.html%3ftppyjwryf...(very long url)
[09/Mar/2002:00:50:35 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20pwvrmurzqtf/../../index.html%3fvvjpeixwvq=/../is...(very long url)


It seems like a tool (regarding the short timeintervals).
I know, that Apache 1.3.20 is resistant against these kinds of "hacking", but it really nerves (floods my logs)!

What could I do?

Is it usefull to redirekt such requests? Could I block a user making such requests for - lets say - 1 hour?

I'm thankful for every advice!

Thanks in advance, Panther
0
Comment
Question by:pantherchen
  • 2
  • 2
4 Comments
 
LVL 15

Accepted Solution

by:
samri earned 900 total points
ID: 6854242
One possibility to block such request is to use <Location> Directive.  Decide on where to apply the Directive (global or virtualhost), and add the following code;

<Location /*exe>
  Deny from all
</Location>

Infact,  if you look in httpd.conf, you might find this config segment.  You can tailor to your need.

# There have been reports of people trying to abuse an old bug from pre-1.1
# days.  This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org.  Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#
#<Location /cgi-bin/phf*>
#    Deny from all
#    ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>

0
 
LVL 1

Author Comment

by:pantherchen
ID: 6854569
I think, thats what i need; I'll try (could take some days :)!

Could I use the % in this directive too?
Or combine it in that way:

<Location /*(%|exe)*>
 Deny from all
</Location>


THX
0
 
LVL 15

Expert Comment

by:samri
ID: 6854626
I could not confirm that, I think *.exe should be sufficient since /*.exe already took care of %.   I think the directive should be able to accept regex format (regular expression).

Test it out first, and you can further refine the regex.
0
 
LVL 1

Author Comment

by:pantherchen
ID: 6860038
ok, played a bit with it, and it works :)
thanks!
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question