Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Looking for mod_security rule against IIS WebDAV exploit.

Discussion in 'Security' started by jols, Oct 21, 2005.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,110
    Likes Received:
    3
    Trophy Points:
    168
    Our servers are being hit with DoS via IIS WebDAV exploit. It runs up the CPU to about 40 until my hogkiller stops apache, etc.

    This is the kind of stuff I see in the apache access_log:


    "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\" 414 271


    SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\

    etc. etc. etc.

    I am thinking there must be a mod_security ruleset I can apply against this?
     
    #1 jols, Oct 21, 2005
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,110
    Likes Received:
    3
    Trophy Points:
    168
    Okay, I am reading that mod_security will not catch this early enough. So now I am thinking there must be a way to alter the BFD script so that the attacking IP is dropped into the firewall.

    Thoughts/solutions anyone?
     
    #2 jols, Oct 21, 2005
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,110
    Likes Received:
    3
    Trophy Points:
    168
    Okay, here apparently is at least one solution (using a redirect) from - http://aplawrence.com/Blog/B1234.html

    Here's the part I just added to httpd.conf, then restarted apache and am hoping for the best:

    # Send MS IIS Exploits to the company who makes them all possible!
    <IfModule mod_rewrite.c>
    RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/xc9\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/x04H\/(.*)$ http://www.microsoft.com
    </IfModule>
     
    #3 jols, Oct 21, 2005
  4. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    166
    Im seeing these too except just before the log entry i see

    @
    @
    @
    @
    @
    @
    @
    @
    @
    @
    @
    @
    "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9 \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9 \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9 \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9 \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9 \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9 \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\" 414 271
     
    #4 jackie46, Oct 21, 2005
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,110
    Likes Received:
    3
    Trophy Points:
    168

    Just to follow up. This did not work. Any idea where I could insert the above redirects (other than in httpd.conf) to where they would work?
     
    #5 jols, Nov 6, 2005
(You must log in or sign up to post here.)
Loading...
Similar Threads - Looking mod_security rule
  1. Stipfy

    Sorry, the page you were looking for does not exist or is not available

    Stipfy, May 12, 2019, in forum: General Discussion
    Replies:
    3
    Views:
    184
    Infopro
    May 12, 2019
  2. rorymckinley

    Looking for a better way to track forwards

    rorymckinley, Apr 15, 2019, in forum: cPanel Developers
    Replies:
    5
    Views:
    230
    cPanelMichael
    Apr 26, 2019
  3. Remitur

    Looking for an exploited site

    Remitur, Mar 26, 2019, in forum: Security
    Replies:
    2
    Views:
    212
    cPanelMichael
    Mar 27, 2019
  4. MyRooT

    Looking for Apache Global Configuration and PHP-FPM Pool Options Suggestions

    MyRooT, Nov 22, 2018, in forum: Workarounds and Optimization
    Replies:
    1
    Views:
    632
    cPanelMichael
    Nov 27, 2018
  5. handsome09

    Looking For Lost Email Issue

    handsome09, Jun 4, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    247
    cPanelLauren
    Jun 5, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice