Page 1 of 1
Slow Site
Posted: Mon Jun 19, 2006 12:26 am
by ray
Sorry for the slow site this weekend. Worm infected machines have been sending an insane amount of requests to the site which is essentially resulting in a denial of service attack.
I'm working at locating a script to prevent the web server from processing these requests.
Posted: Mon Jun 19, 2006 12:59 am
by ray
I think I fixed it. I added the following to .htaccess:
RewriteEngine ON
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)Echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$
http://127.0.0.1/ [L,R=301]
This should block the following traffic:
64.27.4.160 - - [18/Jun/2006:20:58:07 -0400] "GET /viewtopic.php?t=3492&highlight=%2527%252Esystem(chr(112)%252Echr
(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%
252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(
114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%
252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr
(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%2
52Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 301 759 "-" "Mozilla/4.0"
Posted: Mon Jun 19, 2006 11:49 am
by wirednut
That's sweet. I didn't know they were using smilies in shell scripts these days.
Posted: Mon Jun 19, 2006 11:50 am
by dhoyne
Anyone else see that and hear the wa-wa-wa-wa sound of adults talking in a Peanuts cartoon?
mod_security
Posted: Mon Jun 19, 2006 2:02 pm
by nrvale0
Posted: Mon Jun 19, 2006 2:13 pm
by SCIN
Very nice. Thanks.
Posted: Mon Jun 19, 2006 3:44 pm
by Mike Jones
Beat me to it, Nathan. Additionally Ray, do you have snort on or out in front of your web server?
Posted: Mon Jun 19, 2006 3:55 pm
by SCIN
I'd rather not do snort flexible response (inline). I'm not a big fan of session sniping unless you want to buy Sourcefire's 3D system for me.
Posted: Wed Jul 12, 2006 3:33 pm
by Mike Jones
i know this thread is about a month old, but i came across a decent mod_security overview and thought you might enjoy --
http://www.howtoforge.com/apache_mod_security_p2