Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis updat e

From: John Coke <jcoke () ibeam com>
Date: Wed, 19 Sep 2001 17:17:39 -0700
Distributing the 404/403 error takes connections and bandwidth.  Adding the
following configuration to Apache will reduce the impact on the servers.  I
have been doing this for some time on the production servers that I manage.

AliasMatch ^/scripts(.*) "/www/bogus/index.html"
AliasMatch ^/.*(ida|htr|idc|htw) "/www/bogus/index.html"

Replace the second argument with the path to a zero-length index file (e.g.
touch /www/bogus/index.html). 

Just give you an idea of the savings:

With the "mitigation" configuration:
172.16.89.153 - - [19/Sep/2001:17:36:17 +0600] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 200 0
So, it transfers 0 bytes

Now without the "mitigation" config:
172.16.89.153 - - [19/Sep/2001:17:38:06 +0600] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 321
It transfers 321 bytes.

The above was tested with the standard Apache "404" error.

Now, on 15 production apache servers there are 6100 entries on the average
per server, 91500 entries.  With a 908 byte custom error document on our
production servers, that's 83MB. of data.  This starting sample date is
Sunday.  Note that this with 1 ip address per server.  The usage should
increase linearly as you add virtual IPs.    Now, I am not taking into
account the additional packet overhead which in accounting terms is a fixed
cost and would likewise apply to the "mitigation" configuration.

John Coke
PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846
PGP key ID 0x8F45E846 (pgp.mit.edu)


-----Original Message-----
From: George Milliken [mailto:gmilliken () farm9 com]
Sent: Wednesday, September 19, 2001 8:59 AM
To: Incidents () Securityfocus Com
Subject: RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis
update


Maybe something like a rewrite rule

RewriteEngine On
RewriteRule   ^.*/cmd.exe.*   [FL]
RewriteRule   ^.*/root.exe.*  [FL]

This will send "forbidden" to systems trying those URLs and will stop
rewrite processing.
Previous By Date Next
Previous By Thread Next

Current thread: