Solved

how to prevent from hacker?

Posted on 2002-03-09
4
295 Views
Last Modified: 2010-03-04
Hi!

I have "Apache 1.3.20" running on a W2K Professional (with the latest updates and patches). There also is a firewall with only port 80 open.

For some days I recognice some hacking-attempts in the Apache-logfiles. They look like that:

[07/Mar/2002:05:42:56 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:00 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:06 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
[07/Mar/2002:05:43:10 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0"

or like that:

[09/Mar/2002:00:50:31 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20iwtrdhdadvfywmscucw/../../index.html%3fmrsxhilfr...(very long url)
[09/Mar/2002:00:50:31 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20xphpmlcsnnuwdujjuu/../../index.html%3fehejlygttu...(very long url)
[09/Mar/2002:00:50:32 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20goybttoeilhqsmcd/../../index.html%3fsnvllphwrlwi...(very long url)
[09/Mar/2002:00:50:34 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20xeifqclittjisuajdfg/../../index.html%3ftppyjwryf...(very long url)
[09/Mar/2002:00:50:35 +0100] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20pwvrmurzqtf/../../index.html%3fvvjpeixwvq=/../is...(very long url)


It seems like a tool (regarding the short timeintervals).
I know, that Apache 1.3.20 is resistant against these kinds of "hacking", but it really nerves (floods my logs)!

What could I do?

Is it usefull to redirekt such requests? Could I block a user making such requests for - lets say - 1 hour?

I'm thankful for every advice!

Thanks in advance, Panther
0
Comment
Question by:pantherchen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 15

Accepted Solution

by:
samri earned 300 total points
ID: 6854242
One possibility to block such request is to use <Location> Directive.  Decide on where to apply the Directive (global or virtualhost), and add the following code;

<Location /*exe>
  Deny from all
</Location>

Infact,  if you look in httpd.conf, you might find this config segment.  You can tailor to your need.

# There have been reports of people trying to abuse an old bug from pre-1.1
# days.  This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org.  Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#
#<Location /cgi-bin/phf*>
#    Deny from all
#    ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>

0
 
LVL 1

Author Comment

by:pantherchen
ID: 6854569
I think, thats what i need; I'll try (could take some days :)!

Could I use the % in this directive too?
Or combine it in that way:

<Location /*(%|exe)*>
 Deny from all
</Location>


THX
0
 
LVL 15

Expert Comment

by:samri
ID: 6854626
I could not confirm that, I think *.exe should be sufficient since /*.exe already took care of %.   I think the directive should be able to accept regex format (regular expression).

Test it out first, and you can further refine the regex.
0
 
LVL 1

Author Comment

by:pantherchen
ID: 6860038
ok, played a bit with it, and it works :)
thanks!
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question