.htaccess codered nimda

[stevenha]

I found some examples of .htaccess files on other forums.

I was interested in these snippets, which apparently deal with codered, nimda, and formmail exploits. I've pasted the snippet below, followed by a question for folks who really understand this stuff.

------

# this ruleset is to "stop" stupid attempts to use MS IIS expolits on us
# NIMDA
RewriteCond %{REQUEST_URI} /(cmd¦root¦shell)\.exe$[NC,OR]
RewriteCond %{REQUEST_URI} /(admin¦httpodbc)\.dll$[NC]
RewriteRule .* /cgi-bin/nonimda.cmd [L,E=HTTP_USER_AGENT:NIMDA_EXPLOIT,T=appl ication/x-httpd-cgi]

# CODERED
RewriteCond %{REQUEST_URI} /default\.(ida¦idq)$[NC,OR]
RewriteCond %{REQUEST_URI} /.*\.printer$[NC]
RewriteRule .* /cgi-bin/nocode-r.cmd [L,E=HTTP_USER_AGENT:CODERED_EXPLOIT,T=ap plication/x-httpd-cgi]

# this ruleset is for formmail script abusers...
RewriteCond %{REQUEST_URI} formmail\.(pl¦cgi)$[NC,OR]
RewriteCond %{REQUEST_URI} mailto\.(exe¦cgi)$[NC]
RewriteRule .* /cgi-bin/nofrmml.cmd [L,E=HTTP_USER_AGENT:FORMMAIL_EXPLOIT,T=a pplication/x-httpd-cgi]

------

My questions. Since I don't have the actual RewriteRule "files" ( nocode-r.cmd, nonimda.cmd, nofrmml.cmd ) that the rules refer to, Is there an alternative... like replying with a regular tiny html file instead? And if this is OK, to send back a tiny html file, how should the flags be edited ( the [L, E=*,T=*] stuff).

My goal by the way, is to get these things out of my error logs, to make it easier to spot real errors.

[Vin DSL]

Um... think you need to add this to the top:

Code:

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

[stevenha]

Vin DSL, you are impressively active on this forum. Thanks for jumping in. Well, yup, I was just showing a partial snippet from a long series of rewriteCond's and rewriteRules.. but you are on-the-ball, to point out that the snippet won't work at all, without the preliminary stuff you listed. It shows that you're thinking about others... making sure I (and others) don't have misadventures with pasted snippets, ( I think).

[jason]

It looks like the author of those rules had some kind of CGI script ruunning to catch Nimda and CodeRed "attacks." Your guess as to what it do is as good as mine, but it probably did something like log where the request was coming from and maybe sent some kind of message to the user.

If you wanted to redirect these requests to an HTML file,you should change the [] block of the RewriteRule to [L,T=text/html] (or just simply [L] should work, too). The L (last) tells mod_rewrite to stop applying rules to the URL once it gets to this point. The E (environment) redifines the HTTP_USER_AGENT environment variable, but since you are just displaying an HTML page there's not much point in doing this. The T (type) tells the server how to treat the page you're being redirected to--the example says that it is a CGI script and should be executed as such. I believe that text/html is the default, so you shouldn't need to specify a T value for plain HTML.

--Jason

[Zhen-Xjell]

You can also remove the use of mod_rewrite and make use of mod_require_host and mod_security in your Apache build to prevent things like this from showing up. Make it server wide instead of per directory, for instance.

[stevenha]

Thanks for the reply. Can you elaborate on mod_require_host and mod_security? Are these currently part of jaguarPCs apache setup? Can you give me a few hints or examples of suitable syntax instead of RewriteCond and RewriteRule s.

[Connie]

I would be interested in seeing some examples. Also I have had a
situation come up in regard to .htaccess files that I need some
input on.

When using .htacess to protect files from hot linking some browsers
will not display your images. A lady recently e-mailed me that she
could not see the images on our web site. I e-mailed backed and asked
if it were certain images or all. She replied that she could not see
any image. For some reason I connected to the Internet on my Lap Top,
and Guess what? I could not see any Images until I removed the
hot link reference from my .htaccess files.

I would like to have input on this issue.

[Zhen-Xjell]

Hi, for mod_require_host there there are no filters required. It simply picks up errors and past a user defined threshold bans the IP altogether.