netsecurity database

Was ist die Boomerang-config für mod-rewrite?

So, 10/12/2008 - 01:06 | alladin

THIS IS A VERY OLD VERSION - current version available in user->files section.

# Various rewrite rules.
--IfModule mod_rewrite.c--
RewriteEngine on

# B O O M E R A N G - Config
# powered by www.netsecdb.de
# service@netsecdb.de
# with additions from phishmail.de

# Today's Hackers
# - do not read documentation
# - like attacking themselves
# - for hours - for days - for weeks - over and over
# Have fun with 302-messages from your logfile

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
RewriteCond %{QUERY_STRING} (spaw_root|sIncPath|prefix|cmd|view|base_folder|_ENV\[asicms\]\[path\]|cfg\[path\]\[contenid
o\]|custompluginfile|vsDragonRootPath|dir|cfgProgDir|string|path|lang_settings\[0\]\[1\]|fromTemplate|ar|new_exbb\[home_pa
th\]|com_extcalendar|component|htmlclass_path|commonpath|dir|path_escape|path\[docroot\]|jamroom\[jm_dir\]|rootdir|jamroom
[jm_dir]|path%5Bdocroot%5D|a|where_framework|_CONF[path]|phpbb_root_path|appserv_root|CONFIG_EXT\[ADMIN_PATH\]|dirDepth|cu
stompluginfile\[\]|adresa|mosConfig_absolute_path|_zb_path|config\[root_dir\]|config\[root_dir\]|error|vwar_root|shop_this
_skin_path|DOCUMENT_ROOT|PHPFFL_FILE_ROOT)=(.*)

RewriteCond %{HTTP_USER_AGENT} ^.*libwww-perl.*$ [OR]
#RewriteRule ^(.*)$ http://www.bka.de/selbstanzeige/
#RewriteRule ^(.*)$ http://www.dasendedesinternet.de/
#RewriteRule ^(.*)$ http://www.cybercrime.gov/
#RewriteRule ^(.*)$ http://www.ic3.gov/
#RewriteRule ^(.*)$ http://127.0.0.1/
#
#Finally decided for public IP of source - that hacks tor exit node/proxy that submitted this waste
# in addition it's the easiest way to scan for tor-exit nodes from inside tor-net
# i checked tor and jap sources - no chance for regex filtering out attack-URL's - so let's return package to sender
#
#RewriteRule ^(.*)$ http://%{REMOTE_ADDR}/
#
# Kontrolle muss sein :)
RewriteRule ^(.*)$ http://daten-speicherung.de/kontrolle_muss_sein.mp3

RewriteCond %{HTTP_USER_AGENT} ^.*libwww-perl.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Java/1.6.0_04.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*WinHttpRequest.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*avantbrowser.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Indy.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*LinkLint.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*WebCapture.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Baiduspider.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
# RewriteRule ^(.*)$ http://%{REMOTE_ADDR}/
# Kontrolle muss sein
RewriteRule ^(.*)$ http://daten-speicherung.de/kontrolle_muss_sein.mp3

RewriteCond %{REMOTE_HOST} ^(.*)\.perfect-privacy\.com [NC]
# RewriteRule ^(.*)$ http://%{REMOTE_ADDR}/
# Kontrolle muss sein :)
RewriteRule ^(.*)$ http://daten-speicherung.de/kontrolle_muss_sein.mp3

RewriteCond %{REQUEST_URI} ^.*ftp.*$
# RewriteRule ^(.*)$ http://%{REMOTE_ADDR}/
# Kontrolle mus sein :)
RewriteRule ^(.*)$ http://daten-speicherung.de/kontrolle_muss_sein.mp3
--/IfModule--

So wird ein Aufruf z.B. auf eine mp3-Datei eines anderen vhosts umgeleitet. Alle Server leiten dahin um und ein zentrales script kann später die Angriffe auswerten und die Netze automatisiert nach den verschiedensten Kriterien in der Datenbank als gesperrt markieren, da die Angriffsparameter an den mp3-Aufruf übergeben werden:

llf531196.crawl.yahoo.net - - [04/Dec/2008:02:43:19 +0100] "GET /index.php?error=justscanning HTTP/1.0" 302 344 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

redirected:

74.6.18.228 - - [04/Dec/2008:02:43:32 +0100] "GET /assets/media/loosingyouraimsjingle.mp3?error=justscanning HTTP/1.0" 200 327899 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

|

Tags: hacking