There is no way for mod_perl or CGI to prevent those requests from reaching the server - by the time they are recognised as being attacks, they have already reached the server.
You could write a simple module that would throw away the requests before Apache logged them. But that would just be hiding, not solving the problem.
You could use iptables or similar built-in firewall to block any requests from the "attacking" IP - but with time that could mean you will have to administer a growing list of IPs that were blocked due to various attacks.
Your best bet is to use the whois information to get the contact info for the system's caretaker (or their provider) and write to them, asking them to take appropriate steps to stop the scanning. | [reply] |
Totally off the topic of Perl but..
use iptables if on Linux, you need the string filtering module, e.g.
$IPT -A INPUT -p tcp --destination-port 80 -m string --string "SEARCH"
+ -j REJECT --reject-with tcp-reset
and the same rule beforehand with a LOG target..
Matching a length with iptables failed for me - I couldn't figure out the real length. I think the reason is what shows up in your logs is not what's on the wire -- which is hex as I read you can use the hex-string module for iptables, but you have to build this by hand and recompile your kernel..
What you can do with perl :^P is to parse your log files to see how successful you've been in blocking it.
Also turn off icmp with iptables. IIRC that exploit begins after a good ping. I've eliminated them totally using the above..
-harold
| [reply] [d/l] |
perl -ne '/SEARCH \\x90\\x02\\xb1/ or print' access_log | less
Just say no to log file obsession. :)
+++++++++ In theory, theory describes reality, but in reality it doesn't.
| [reply] [d/l] |
Have you tried getting the user to fix is broken machine? Maybe try contacting the admin is another solution. If you have done the due dilligence, firewall them off.
| [reply] |
If you're not using DAV, you should try something like this in your apache config. I have not tested this.
<Limit SEARCH>
Order Deny,Allow
Deny from all
</Limit>
| [reply] [d/l] |
From the Apache docs for the <Limit> Directive:
The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited.
-Nitrox
| [reply] |
Ban the IP at your firewall or write a custom loghandler that supresses writing this error message to your logs.
-sam
| [reply] |
the easiest way is to run a cron job to clean up the log file every night.
here is the script i use.
#!/usr/bin/perl -w
# remove annonying x90 probe
use strict;
my $log = "access_log";
open F,$log or die $!;
open W,">tmp.log" or die $!;
while (<F>) {
unless (/(x90|cmd\.exe|root\.exe|default\.ida)/) {
print W $_;
}
}
close F;
close W;
rename "tmp.log",$log;
| [reply] [d/l] |