TECH_ Redirecting hacked servers searching for exploits
As my error logfile of my Apache httpd began to grow mainly showing hacked webservers trying to find software with current exploits, I began to think how to prevent that.
I came up with the idea of redirecting these webservers to their localhost 127.0.0.1, which is not being displayed in my logfiles and additionally no error 404 message page must be created and transferred to these ugly servers.
At first, I used multiple redirects for every single exploit, but that was just too bad. So I came up with one single regular expression I added to the main configuration file. I will try to keep it updated. Here it is:
You should carefully check that none of your internal homepage structure is being affected, especially if you are running one of those softwares the exploits are targeting!
The regular expression will match at least the following URIs:
Updates
2006-06-12
2006-06-08
2006-06-05
2006-05-22
I came up with the idea of redirecting these webservers to their localhost 127.0.0.1, which is not being displayed in my logfiles and additionally no error 404 message page must be created and transferred to these ugly servers.
At first, I used multiple redirects for every single exploit, but that was just too bad. So I came up with one single regular expression I added to the main configuration file. I will try to keep it updated. Here it is:
RedirectMatch permanent ^http://|//?(\
\
\
admin|\
a1b2c3d4e5f6g7h8i9|\
[aA]ds(erver)?|\
a(f|oe|q20_2)|\
awstats.pl|\
b(dh|wl)|\
b2(evo)?|\
blitzkrieger|\
blog(s?|test)|\
([Ww]eb)?[cC]al(endar)?|\
cgi(-?bin)?|\
community|\
coop|\
db(admin)?|\
(aq40|eq?|fairy|mc(_|ony-)?|neq|ony|set_|ttm|wow|zg(class)?|zul)?dkp(_?[1-3]0?|-1.[2-3].0|_?aq1?|-klasse|klein|mc|_new|old|set|-?zg)?|\
DKPAQ20|\
dr(p|upal)|\
e(lp|vent)|\
forum|\
gmc|\
[hH]orde.*|\
hosted_sites|\
includes|\
(articles/|cvs/)?(mambo/)?index2\.php|\
level|\
m(are|c(1|p)?|y(sql-?)?(admin)?)|\
module|\
OveR|\
pages|\
phi|\
phpgroupware|\
php([Aa]ds([nN]ew)?|BB2|[mM]y[aA]dmin-?2(\.\d\.\d)?)|\
(|(php/)?([pP]hp([mM]y(-(\d\.?)+)?)?)?[cC]hat(s|room)/|forum/)/?chat/messagesL\.php3|\
PMA|\
prx1\.php|\
pub/downloads|\
punkte(stand)?|\
raid(bwl|planung)?|\
README|\
rps|\
(bbs/|(z(ero)?)?board/(bbs/)?)?skin/zero_vote/error\.php|\
(web)?statu?s|\
sumthin|\
sys|\
thisdoesnotexistahaha.php|\
_?vti_bin|\
web(17)?|\
wordpress|\
wow|\
(ad)?xml(rpc|srv)(\.php)?|\
zorn|\
zul\
\
\
)(/.*)?$ http://127.0.0.1/bugMeNot
\
\
admin|\
a1b2c3d4e5f6g7h8i9|\
[aA]ds(erver)?|\
a(f|oe|q20_2)|\
awstats.pl|\
b(dh|wl)|\
b2(evo)?|\
blitzkrieger|\
blog(s?|test)|\
([Ww]eb)?[cC]al(endar)?|\
cgi(-?bin)?|\
community|\
coop|\
db(admin)?|\
(aq40|eq?|fairy|mc(_|ony-)?|neq|ony|set_|ttm|wow|zg(class)?|zul)?dkp(_?[1-3]0?|-1.[2-3].0|_?aq1?|-klasse|klein|mc|_new|old|set|-?zg)?|\
DKPAQ20|\
dr(p|upal)|\
e(lp|vent)|\
forum|\
gmc|\
[hH]orde.*|\
hosted_sites|\
includes|\
(articles/|cvs/)?(mambo/)?index2\.php|\
level|\
m(are|c(1|p)?|y(sql-?)?(admin)?)|\
module|\
OveR|\
pages|\
phi|\
phpgroupware|\
php([Aa]ds([nN]ew)?|BB2|[mM]y[aA]dmin-?2(\.\d\.\d)?)|\
(|(php/)?([pP]hp([mM]y(-(\d\.?)+)?)?)?[cC]hat(s|room)/|forum/)/?chat/messagesL\.php3|\
PMA|\
prx1\.php|\
pub/downloads|\
punkte(stand)?|\
raid(bwl|planung)?|\
README|\
rps|\
(bbs/|(z(ero)?)?board/(bbs/)?)?skin/zero_vote/error\.php|\
(web)?statu?s|\
sumthin|\
sys|\
thisdoesnotexistahaha.php|\
_?vti_bin|\
web(17)?|\
wordpress|\
wow|\
(ad)?xml(rpc|srv)(\.php)?|\
zorn|\
zul\
\
\
)(/.*)?$ http://127.0.0.1/bugMeNot
You should carefully check that none of your internal homepage structure is being affected, especially if you are running one of those softwares the exploits are targeting!
The regular expression will match at least the following URIs:
/a1b2c3d4e5f6g7h8i9
/admin
/ads
/Ads
/adserver
/af
/aoe
/aq20_2
/aq40dkp
/articles/index2.php
/articles/mambo/index2.php
/b2
/b2evo
/bbs/skin/zero_vote/error.php
/bdh
/blitzkrieger
/blog
/blogs
/blogtest
/board/skin/zero_vote/error.php
/bwl
/cal
/calendar
/Calendar
/chat//chat/messagesL.php3
//chat/messagesL.php3
/chatroom//chat/messagesL.php3
/chats//chat/messagesL.php3
/community
/coop
/cvs/index2.php
/cvs/mambo/index2.php
/db
/dbadmin
/dkp
/dkp1
/dkp_1
/dkp2
/dkp_2
/dkp20
/dkp3
/dkpaq
/DKPAQ20
/dkp-klasse
/dkpklein
/dkpmc
/dkp_new
/dkpold
/dkpset
/dkpzg
/dkp-zg
/drp
/drupal
/edkp
/edkp20
/elp
/eqdkp
/eqdkp-1.2.0
/eqdkp-1.3.0
/eqdkp_2
/eqdkp_aq1
/eqdkp-zg
/event
/fairydkp
/forum
/forum//chat/messagesL.php3
/gmc
/hosted_sites
/includes
/index2.php
/level
/mambo/index2.php
/mare
/mc
/mc1
/mcdkp
/mc_dkp
/mcony-dkp
/mcp
/module
/my
/myadmin
/mysql
/mysqladmin
/mysql-admin
/neqdkp
/onydkp
/OveR
/pages
/phi
/php/phpmychat//chat/messagesL.php3
/phpgroupware
/phpads
/phpadsnew
/phpAdsNew
/phpBB2
/phpmyadmin2
/phpMyAdmin-2.2.3
/phpMyAdmin-2.2.6
/phpMyAdmin-2.5.1
/phpMyAdmin-2.5.4
/phpMyAdmin-2.5.6
/phpMyChat//chat/messagesL.php3
/phpMyChat-0.14.2//chat/messagesL.php3
/phpMyChat-0.14.5//chat/messagesL.php3
/PMA
/prx1.php
/pub/downloads
/punkte
/punktestand
/raid
/raidbwl
/raidplanung
/README
/rps
/set_dkp
/sumthin
/sys
/ttmdkp
/_vti_bin
/web
/web17
/webcalendar
/webCalendar
/WebCalendar
/Webcalendar
/wordpress
/wow
/wowdkp
/xmlrpc
/xmlsrv
/zboard/skin/zero_vote/error.php
/zeroboard/bbs/skin/zero_vote/error.php
/zgclassdkp
/zgdkp
/zorn
/zul
/zuldkp
/admin
/ads
/Ads
/adserver
/af
/aoe
/aq20_2
/aq40dkp
/articles/index2.php
/articles/mambo/index2.php
/b2
/b2evo
/bbs/skin/zero_vote/error.php
/bdh
/blitzkrieger
/blog
/blogs
/blogtest
/board/skin/zero_vote/error.php
/bwl
/cal
/calendar
/Calendar
/chat//chat/messagesL.php3
//chat/messagesL.php3
/chatroom//chat/messagesL.php3
/chats//chat/messagesL.php3
/community
/coop
/cvs/index2.php
/cvs/mambo/index2.php
/db
/dbadmin
/dkp
/dkp1
/dkp_1
/dkp2
/dkp_2
/dkp20
/dkp3
/dkpaq
/DKPAQ20
/dkp-klasse
/dkpklein
/dkpmc
/dkp_new
/dkpold
/dkpset
/dkpzg
/dkp-zg
/drp
/drupal
/edkp
/edkp20
/elp
/eqdkp
/eqdkp-1.2.0
/eqdkp-1.3.0
/eqdkp_2
/eqdkp_aq1
/eqdkp-zg
/event
/fairydkp
/forum
/forum//chat/messagesL.php3
/gmc
/hosted_sites
/includes
/index2.php
/level
/mambo/index2.php
/mare
/mc
/mc1
/mcdkp
/mc_dkp
/mcony-dkp
/mcp
/module
/my
/myadmin
/mysql
/mysqladmin
/mysql-admin
/neqdkp
/onydkp
/OveR
/pages
/phi
/php/phpmychat//chat/messagesL.php3
/phpgroupware
/phpads
/phpadsnew
/phpAdsNew
/phpBB2
/phpmyadmin2
/phpMyAdmin-2.2.3
/phpMyAdmin-2.2.6
/phpMyAdmin-2.5.1
/phpMyAdmin-2.5.4
/phpMyAdmin-2.5.6
/phpMyChat//chat/messagesL.php3
/phpMyChat-0.14.2//chat/messagesL.php3
/phpMyChat-0.14.5//chat/messagesL.php3
/PMA
/prx1.php
/pub/downloads
/punkte
/punktestand
/raid
/raidbwl
/raidplanung
/README
/rps
/set_dkp
/sumthin
/sys
/ttmdkp
/_vti_bin
/web
/web17
/webcalendar
/webCalendar
/WebCalendar
/Webcalendar
/wordpress
/wow
/wowdkp
/xmlrpc
/xmlsrv
/zboard/skin/zero_vote/error.php
/zeroboard/bbs/skin/zero_vote/error.php
/zgclassdkp
/zgdkp
/zorn
/zul
/zuldkp
Updates
2006-06-12
- Added PhpMyChat exploit.
- Added Zeroboard exploit.
2006-06-08
- Made RegEx more readable by spanning over multiple lines.
- Added /prx1.php (more precisely the GET http://www.theleadads.com/prx1.php HTTP/1.0 request) to matched URIs.
- Added Mambo exploit with URIs /index2.php, /articles/index2.php, /articles/mambo/index2.php, /cvs/index2.php, /cvs/mambo/index2.php and /mambo/index2.php.
- Added /phpgroupware to URIs.
- Added /cal, /calendar and /webcalendar to matched URIs.
2006-06-05
- Added possible leading double slash.
2006-05-22
- Added /sumthin to matched URIs.
cypressor - 19. Mai, 11:53
