I got tired of seeing various entries in my server logs (people trying to run cmd.exe, exploit webdav vulnerabilities, etc.) so I wrote a bit of code that lets them know that I know what they're doing ...
When a would-be hacker tries to gain access, he's (it's always a guy) the apache module mod_rewrite redirects him to a special page that does the following:
# author: tom hudson # email: tomhudson411@yahoo.com # my rewrite rules to kill off probes # original idea from tenor at macosxhints forum # replace "REPLACE_YOUR_SERVERS_IP" with either your server's # ip, or if you don't have a (semi)static ip, # a dns alias from one of the free dns services # (no-ip.com, afraid,org, dyndns.org)I'm currently running suse, so this file lives in my /etc/apache2/conf.d directory.RewriteEngine on RedirectMatch permanent (.*)command.com(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.com" RedirectMatch permanent (.*)COMMAND.COM(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.com" RedirectMatch permanent (.*)command.exe(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.exe" RedirectMatch permanent (.*)COMMAND.EXE(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.exe" RedirectMatch permanent (.*)cmd.exe(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=cmd.exe" RedirectMatch permanent (.*)CMD.EXE(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=cmd.exe" RedirectMatch permanent (.*)root.exe(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=root.exe" RedirectMatch permanent (.*)ROOT.EXE(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=root.exe" RedirectMatch permanent (.*)[\\|\/]_vti_bin[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=vtibin" RedirectMatch permanent (.*)[\\|\/]_VTI_BIN[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=vtibin" RedirectMatch permanent (.*)[\\|\/]winnt[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=winnt" RedirectMatch permanent (.*)[\\|\/]WINNT[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=winnt" RedirectMatch permanent (.*)[\\|\/]scripts[\\|\/]\.\.(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=scripts" RedirectMatch permanent (.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=scripts" RedirectMatch permanent (.*)[\\|\/]_mem_bin[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=membin" RedirectMatch permanent (.*)[\\|\/]_MEM_BIN[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=membin" RedirectMatch permanent (.*)[\\|\/]msadc[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=msadc" RedirectMatch permanent (.*)[\\|\/]MSADC[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=msadc" RedirectMatch permanent (.*)[\\|\/]x90[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=webdav+attack" RedirectMatch permanent (.*)[\\|\/]X90[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=webdav+attack"
Note: You will have to add mod_rewrite to your loaded modules list if it's not already loaded. Check your httpd.conf file :-)
Currently, this file catches the following:
Here's the file I use to log the breakin attempts: (if you download it, rename it to go_away.php)
<html> <head> <!-- author: tom hudson --> <!-- email: tomhudson411@yahoo.com --> <? $remote_addr = $_SERVER['REMOTE_ADDR']; $user_agent = $_SERVER['HTTP_USER_AGENT']; $query = $_GET['cmd']; $date = date('Y-m-d H:i:s'); $log = "$date:$remote_addr:$user_agent:$query\n"; $html_log = "<tr><td>$date</td><td>$remote_addr</td><td>$user_agent</td><td>$query</td></tr>\n"; $fh = fopen("/srv/www/htdocs/log/hack_attempts.log", "a+"); fwrite($fh, $log); fclose($fh); $fh = fopen("/srv/www/htdocs/log/hack_attempts.html", "a+"); fwrite($fh, $html_log); fclose($fh); ?> <title>GO AWAY LUS3R</title> </head> <body> <h1>GO AWAY LUS3R</h1> <h2>Get a life</h2> Your IP address, along with the date and time, have been logged, LUS3R! <hr> Some moron running <? print $user_agent; ?> <br>at <? print $remote_addr; ?> <br>tried to run this command: <br> <? print $query; ?> <br> at <? print $date; ?> <hr> What a loser! You are invited to join the ranks of these other n00bs: <table border=2> <tr bgcolor=silver><td><b>D4T3</b></td> <td><b>LU$3R</b></td> <td><b>UZ3D</b></td> <td><b>F41L3D IT</b></td></tr> <? include "/srv/www/htdocs/log/hack_attempts.html"; ?> </table> <h2>YFI, PFY.</h2> </body> </html> </body> </html>I'm not too polite with them, but they don't deserve any better.
NOTE: If you're running php in secure mode (and you should be), then you have to do the following to be able to write to files:
The last thing is a web page to check who's tried to break in. Here it is: (if you download it, rename it to view_hacker_attempts.php)
<html> <head> <!-- author: tom hudson --> <!-- email: tomhudson411@yahoo.com --> <title>View Hacker Attempts</title> </head> <body> <h1>View Hacker Attempts</h1> <table border=2> <tr bgcolor=silver> <td><b>Date and Time</b></td> <td><b>IP Address</b></td> <td><b>User Agent</b></td> <td><b>Attempted to Run</b></td></tr> <? include "/srv/www/htdocs/log/hack_attempts.html"; ?> </table> </body> </html>Back to main page