Attempting to trap the exploit hunters

I am trying to trap exploit hunters who make HTTP requests on IP address only, with requests for the likes of thisdoesnotexistahaha.php, etc.

I always thought that the first listed Apache virtual host would pick up all the waifs and strays, and when I was using a straight redirect, this seemed to be the case.

However, I am now trying to redirect to a bit of Perl that will read in the requested URI (as query string), do PTR and WHOIS lookups, record in a database, phone the Pentagon, etc. (See: http://www.smiffysplace.com/files/mwahahahaha)

It isn't working, and I can't figure out why. When I try to make an illegal access, I just get:

Forbidden

You don't have permission to access /thisdoesnotexistahaha.php on this server.

…which would tend to indicate that the re-write simply isn't happening.

Relevant parts of Apache config:

NameVirtualHost *

#
# Catch and log stuff that shouldn't happen.
#
 <virtualhost *="">ServerName lostsouls.xxxxxxx.xxxxxxx
        ServerAdmin admin@xxxxxxx.xxxxxxx
        ScriptAlias /lostsouls/ "/usr/www/lostsouls/"
        RewriteEngine On
        RewriteRule . /lostsouls/mwahahahaha$1 [L]</virtualhost> 

 <directory usr="" www="" lostsouls="">Order deny,allow
        Allow from all</directory> 

1 Reply

I'm not sure if I understand the problem exactly, but you could try using a custom 404 document. That way, if a file isn't found the request gets passed to your custom 404–which is a cgi script. I believe your CGI script can then determine if there was a hostname header and if not, log stuff and return a page telling people they might need to upgrade their browser. If there was--and it's a valid hostname for your host--give the user a sane 404.

Just a thought.

--James

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct