Re: Blocking Nimda and kin

[Brett Glass <brett () lariat org>]

You have a good point. How would you guard against this sort of
spoofing? Require several rapid fire hits before blocking, 
perhaps?

Also, it turns out that the "%400,404a" is erroneous. This was
a mistake on my part that stemmed from misunderstanding of the
Apache documentation. It's better just to use %a there, since 
adding the "400,404" in the middle can create a malformed
command in certain unusual circumstances. (No harm will be done, 
though.)

By the way, Apache runs its master process as root and demotes 
all the others it spawns to a uid of your choosing. The master
process opens the log files, so yes, the command is run as root.
Note that no user input is used in the command, so it's not
possible to execute a command of your choosing via this mechanism.

--Brett

At 03:46 PM 11/8/2001, Peter W wrote:

> This is very cool stuff. So I can get someone to view an HTML page|email
> with code like <IMG alt="" height="0" width="0" hspace="0" vspace="0"
> src="http://brettglass.example.com/winnt/system32/cmd.exe";>, I can easily
> prevent them, or anyone else coming from the same space, from reaching your
> Web server. Get some AOL users to read the messages and bye-bye to all the
> AOL proxy server traffic. Get lots of usenet "victims", and even if they
> don't care about your Web site, man, your routing table suddenly looks bad.
>
> Very (un)cool.
>
> -Peter
>
> P.S. If that exec sh route thing actually works, does that mean your httpd 
> is running as root?