tribes » Computers & Internet » Apache Web servers » topics »
Redirect attackers back on themselves topic posted Thu, June 17, 2004 - 1:07 PM by Unsubscribed

I once saw a piece of a config script that redirected attackers back to themselves.
Something like checking for a request for /MSADC/root.exe?/c+dir then redirecting to 127.0.0.1 . Has anyone seen this?

posted by:

Unsubscribed

join to post

robt.

27

Re: Redirect attackers back on themselves

Thu, June 17, 2004 - 2:29 PM

No, I'm not familiar with that tactic. It looks fun though.
I have been using tarpit in iptables.

iptables -A INPUT -p tcp -m tcp -dport 137 -j TARPIT

Are you going to try it (the redirect) out?
If you do please post your findings.

join to post
- Unsu...
  
  Re: Redirect attackers back on themselves
  
  Thu, June 17, 2004 - 3:17 PM
  
  /MSADC
  
  I've been looking at the Apache docs. This is close, but I haven't tried it yet:
  
  RedirectMatch permanent */MSADC* http://127.0.0.1
  ... and so forth
  
  The idea being that the attacker will get a response (if he's running a web server) and will log his own machine as an exploitable target.
  
  join to post
- - robt.
    
    27
    
    Re: Redirect attackers back on themselves
    
    Thu, June 17, 2004 - 4:39 PM
    
    > RedirectMatch permanent .*/scripts/root.exe.* http://127.0.0.1=20
    > RedirectMatch permanent .*/MSADC/root.exe.* http://127.0.0.1=20
    > RedirectMatch permanent .*system32/cmd.exe.* http://127.0.0.1=20
    > RedirectMatch permanent .*MSOffice/cltreq.asp.* http://127.0.0.1=20
    > RedirectMatch permanent .*_vti_bin/owssvr.dll.* http://127.0.0.1=20
    > RedirectMatch permanent .*_vti_bin/shtml.exe/_vti_rpc.* http://127.0.0.1
    > RedirectMatch permanent .*_vti_inf.html.* http://127.0.0.1
    
    all the documentation was in Spanish but if you speak Spanish,
    
    listas.hispalinux.es/piperma...440.html
    
    Interesting.
    
    join to post
  - robt.
    
    27
    
    Re: Redirect attackers back on themselves
    
    Thu, June 17, 2004 - 4:44 PM
    
    google will translate this page.
    lists.linux.it/pipermail/...006143.html
    
    I used,
    RedirectMatch permanent */MSADC* http://127.0.0.1
    as a search query.
    One page of results. You will see the link toward the bottom.
    
    [bglug] Attacco a server win - [ Translate this page ]
    
    Hope it's helpful.
    
    join to post
  - - Unsu...
      
      Re: Redirect attackers back on themselves
      
      Wed, June 23, 2004 - 8:52 AM
      
      Thanks!! I've updated my httpd.conf, restarted and tested it and it works perfectly.
      
      join to post
    - - robt.
        
        27
        
        Re: Redirect attackers back on themselves
        
        Wed, June 23, 2004 - 8:59 AM
        
        Nice. I'll have to try it one of these days.
        
        join to post

Recent topics in "Apache Web servers"

Topic	Author	Replies	Last Post
New mac dev help needed	jedi	1	August 11, 2007
can you be on call for this server and make some easy cash?	Shiraz	0	June 13, 2007
hosting reliability and live support	Charles	4	February 10, 2007
mySQL	nat	2	November 29, 2006

^ top of page | view all topics | back to Apache Web servers »


	remember me	help

Redirect attackers back on themselves

Re: Redirect attackers back on themselves

Re: Redirect attackers back on themselves

Re: Redirect attackers back on themselves

Re: Redirect attackers back on themselves

Re: Redirect attackers back on themselves

Re: Redirect attackers back on themselves

Recent topics in "Apache Web servers"