My Apache install is reporting a series of 404 error attempts such as the following every minute. Is there any way to totally block out such attempts? Somebody is hitting hard on this FreeBSD server with all those hits... :angry:


[Wed Dec 26 21:48:20 2001] [error] [client 65.193.77.134] File does not exist: /usr/local/psa/home/vhosts/default/htdocs/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Wed Dec 26 21:48:21 2001] [error] [client 65.193.77.134] File does not exist: /usr/local/psa/home/vhosts/default/htdocs/scripts/..Á../winnt/system32/cmd.exe
[Wed Dec 26 21:48:26 2001] [error] [client 65.193.77.134] File does not exist: /usr/local/psa/home/vhosts/default/htdocs/scripts/..À¯../winnt/system32/cmd.exe
[Wed Dec 26 21:48:30 2001] [error] [client 65.193.77.134] File does not exist: /usr/local/psa/home/vhosts/default/htdocs/scripts/..Áœ../winnt/system32/cmd.exe
[Wed Dec 26 21:48:37 2001] [error] [client 65.193.77.134] File does not exist: /usr/local/psa/home/vhosts/default/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Wed Dec 26 21:48:38 2001] [error] [client 65.193.77.134] File does not exist: /usr/local/psa/home/vhosts/default/htdocs/scripts/..%2f../winnt/system32/cmd.exe
[Wed Dec 26 21:48:20 2001] [error] [client 65.193.77.134] File does not exist: /usr/local/psa/home/vhosts/default/htdocs/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe

It really isn't "hurting" you, other than filling up your log files with useless garbage. It is a winblows exploit.

You can use your firewall to block port 80 access from that IP, or better yet, contact the people who use the IP and let them know their server has been compromised:

From ARIN:

Lightning Wireless (NETBLK-UU-65-193-76)
2180 Immokalee Rd. Suite 216
Naples, FL 34110
US

Netname: UU-65-193-76
Netblock: 65.193.76.0 - 65.193.79.255

Coordinator:
Rosenthal, Loren (LR281-ARIN) loren@lightningwireless.net
941-598-2129

Record last updated on 18-Dec-2000.
Database last updated on 25-Dec-2001 19:55:00 EDT.

Thanks for the reply RutRow, but those file requests are coming from multiple hosts, not only 65.194.77.134. I did a quick count on how many times the server has been hit by nimbda alone and the grand total stands at 1761032 hits :eek: just in this week alone..

It may not be a lot in the short term, but nevertheless not very good for server load, especially when it gets very often. I was actually looking for any way to prevent Apache from accepting such connections totally, ie when a request comes in for a url matching that syntax/format, it immediately sends the request to /dev/null

anybody ? :)

here ya go.. add this to your httpd.conf and restart apache

# Flag requests for URIs containing known strings from
# Nimda-like worms (including Code Red, sadmind/IIS)
# Note that the patterns below are regexes; escape your dots!

SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda
SetEnvIf Request_URI "/scripts/root\.exe" nimda
SetEnvIf Request_URI "/MSADC/root\.exe" nimda
SetEnvIf Request_URI "/\.\." nimda
SetEnvIf Request_URI "\.\./" nimda

# Block attackers who send the patterns above (and get a 400 or 404 response)
# via the routing table. It's more efficient to firewall (the command
# will vary depending upon the firewall in use) or use SSH to add rules to
# an upstream firewall to block the attacker. If several commands must
# be executed, it may be best to invoke a script rather than doing
# all the work from within httpd.conf.

CustomLog "|exec sh" "route -nq add -host %400,404a 127.0.0.1 -blackhole"
env=nimda

CustomLog "|exec sh" "route -nq add -host %400,404a 127.0.0.1 -blackhole" env=nimda [/B]

Is it ok to paste this code into httpd.conf directly? Won't it block out 127.0.0.1 this way?

you can use that. Looking back on my post I wouldn't add a route. I'd send it to /dev/null or such. but yes you can just copy and paste that right in.

aah ok, thanks zupanm, i'll give it a shot and see how it goes. :)