On Fri, 13 Aug 2004 09:16:02 -0500
Chad Walstrom <chewie at wookimus.net> wrote:

> Cute PHP script.  You know, this isn't exactly OT. ;-)  Anyway,
> since putting in log filtering, I've only seen 10 attempts on our
> machine. :-/ Not really exciting. ;-)

I'm waiting for another x90, seems more common in the evening hours.  If that one gets caught too then I'm gonna move this onto a couple other boxes.  I'm sure none of these "LUS3R5" will ever see the results of that script, but it's kinda funny anyway.  From this exercise I currently am testing the following set of rules (apologies for any line breaks):

SetEnvIf Request_URI "(.*)command.com(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)COMMAND.COM(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)command.exe(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)COMMAND.EXE(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)default.ida(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)DEFAULT.IDA(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)cmd.exe(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)CMD.EXE(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)root.exe(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)ROOT.EXE(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)shell.exe(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)SHELL.EXE(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]_vti_bin[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]_VTI_BIN[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]winnt[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]WINNT[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]scripts[\\|\/]\.\.(.*)$ " exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]_mem_bin[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]_MEM_BIN[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]msadc[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]MSADC[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]x90[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)[\\|\/]X90[\\|\/](.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*).dll(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*).DLL(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)system32(.*)$" exploit=1 nolog
SetEnvIf Request_URI "(.*)SYSTEM32(.*)$" exploit=1 nolog

RedirectMatch permanent (.*)command.com(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=command.com"
RedirectMatch permanent (.*)COMMAND.COM(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=command.com"
RedirectMatch permanent (.*)command.exe(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=command.exe"
RedirectMatch permanent (.*)COMMAND.EXE(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=command.exe"
RedirectMatch permanent (.*)default.ida(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=default.ida"
RedirectMatch permanent (.*)DEFAULT.IDA(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=default.ida"
RedirectMatch permanent (.*)cmd.exe(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=cmd.exe"
RedirectMatch permanent (.*)CMD.EXE(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=cmd.exe"
RedirectMatch permanent (.*)root.exe(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=root.exe"
RedirectMatch permanent (.*)ROOT.EXE(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=root.exe"
RedirectMatch permanent (.*)shell.exe(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=shell.exe"
RedirectMatch permanent (.*)SHELL.EXE(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=shell.exe"
RedirectMatch permanent (.*)[\\|\/]_vti_bin[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=vtibin"
RedirectMatch permanent (.*)[\\|\/]_VTI_BIN[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=vtibin"
RedirectMatch permanent (.*)[\\|\/]winnt[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=winnt"
RedirectMatch permanent (.*)[\\|\/]WINNT[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=winnt"
RedirectMatch permanent (.*)[\\|\/]scripts[\\|\/]\.\.(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=scripts"
RedirectMatch permanent (.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=scripts"
RedirectMatch permanent (.*)[\\|\/]_mem_bin[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=membin"
RedirectMatch permanent (.*)[\\|\/]_MEM_BIN[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=membin"
RedirectMatch permanent (.*)[\\|\/]msadc[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=msadc"
RedirectMatch permanent (.*)[\\|\/]MSADC[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=msadc"
RedirectMatch permanent (.*)[\\|\/]x90[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=webdav+attack"
RedirectMatch permanent (.*)[\\|\/]X90[\\|\/](.*)$ "http://trutwins.homeip.net/goaway.php?cmd=webdav+attack"
RedirectMatch permanent (.*).dll(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=some+dll"
RedirectMatch permanent (.*).DLL(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=some+dll"
RedirectMatch permanent (.*)system32(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=some+system32"
RedirectMatch permanent (.*)SYSTEM32(.*)$ "http://trutwins.homeip.net/goaway.php?cmd=some+system32"

SetEnvIf Remote_Addr ^(127\.0\.0\.1|192\.168\.0\.) localreq nolog

CustomLog  /var/log/apache/trutwins.homeip.net/access_log combined env=!nolog
CustomLog  /var/log/apache/trutwins.homeip.net/attack_log combined env=exploit
CustomLog  /var/log/apache/trutwins.homeip.net/local_access_log combined env=localreq

Josh



_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list