Hier ist ein Skript, das ich "früher" (also vor Jahren und Jahren) erstellt habe, um lästige 404-Werte aus dem Apache-Fehlerprotokoll zu entfernen.
#!/usr/bin/perl -w
# ===========================================================================
# Author: David Tonhofer
# Rights: Public Domain
#
# Script kiddies and worms often try URLs behind which one can find
# specific vulnerabilities. This script writes a file to stdout that can then
# be included by httpd.conf so that known probed URLS result in 410s.
#
# See also: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html:
#
# 10.4.11 410 Gone
#
# The requested resource is no longer available at the server and no
# forwarding address is known. This condition is expected to be
# considered permanent. Clients with link editing capabilities SHOULD
# delete references to the Request-URI after user approval. If the
# server does not know, or has no facility to determine, whether or
# not the condition is permanent, the status code 404 (Not Found) SHOULD
# be used instead. This response is cacheable unless indicated otherwise.
#
# The 410 response is primarily intended to assist the task of web
# maintenance by notifying the recipient that the resource is intentionally
# unavailable and that the server owners desire that remote links to that
# resource be removed. Such an event is common for limited-time, promotional
# services and for resources belonging to individuals no longer working at
# the server's site. It is not necessary to mark all permanently unavailable
# resources as "gone" or to keep the mark for any length of time -- that is
# left to the discretion of the server owner.
#
# WHY IS THIS INTERESTING
# -----------------------
#
# This setup removes the requests from the Apache httpd error log (the
# requests no longer generate 'file not found' errors)
#
# This is is a good thing insofar as that list then becomes smaller (good
# for maintenance) and someone trying out more 'refined' vulnerabilities
# becomes visible (good for ringing the warning bell). It also tells
# script kiddies to go look elsewhere. On the other hand, a notable
# increase in probing might go unnoticed.
#
# If the website is configured to redirect requests for unknown URLs to the
# homepage, having this script saves on bandwidth for sure.
#
# Notes
# -----
#
# Probes for errors in HTTP protocol handling (bad headers etc) will still
# show up in the log.
#
# -> analog webanalysis: The files still appear in the analog "failure
# request" log except if you set "STATUSEXCLUDE 410"
#
# -> You want to allow some URLs which are being probed as you really
# might have the corresponding application installed (patched and
# secured beforehand of course). Sometimes, adding further path elements
# might be a solution to discriminate legit requests from probes.
#
# -> Performance impact? I have no idea.
#
# What matches
# ------------
#
# The "gone" URLs are just the start of URLs, so anything with an extension
# will also match. There generally is no need to put the values into goneMatch.
# If you list "/forum3" as "gone", then the following will be marked "gone":
#
# /forum3
# //forum3 (which reduces to /forum3)
# /forum3/x
# /forum3//
#
# but not
#
# /forum3alpha
#
# If the website is configured to redirect requests for unknown URLs to the
# homepage, having this script saves both on bandwidth and noise in the web
# statistics.
# ===========================================================================
use List::MoreUtils qw(uniq); # dnf install perl-List-MoreUtils
# Direct matching
# ---------------
@gone = makeGoneArray();
# Simply print the "gone" array; used when this script is reviewed
# for my $x (@gone) { print "$x\n" }; exit 1;
# Special matching ANYWHERE WITHIN AN URL
# ---------------------------------------
# Lines terminated with a "$" will only match at the URL's end
# (so "/data.tar" and "/data.tar?x=2" will match, but "/data.tar/foo" will not)
# Probes may check many versions of "phpMyAdmin" (like "/phpMyAdmin-2.6.0a" etc),
# so, that URL is in the "goneMatch" list
# 2014-07: Found a bot actually scanning for backup files in the root; added!
# 2014-08: Various scans for "login.php" added.
@goneMatch = qw(
/(categories\.php|file_manager\.php|banner_manager\.php)/login\.php
/(site|data|pack|archive|zip|arch|all|export|exported|old|new|db|database|tgz|dump|backup|bckp|bak)\.(tar|tar\.gz|tgz|zip|rar|bz7)?$
/\.ht
/\.svn$
/\.svn/
/\.git$
/\.git/
^/_vti_
/wp-admin
^/phpMyAdmin
^/mysqldump
^/msd\d
etc\/passwd
jud\.cgi
nsiislog\.dll
proc\/self\/environ
w00tw00t
xmlrpc
xmlrpc\.php
xmlsrv
^/([a-z])([a-z])\1\2/\1\2\1/\1\2\.php
^/\d\d\d$
fqa3snue\....$
);
# PRINT RESULTS.
# --------------
# The result is supposed to be installed by another script. The installer
# checks whether the script currently in use has different content than
# the new one, installs it of yes and then runs a graceful restart of Apache
# httpd. It also replaces %COPYMARK% with a tag indicating the installation
# operation datetime.
# TODO: One should suppress "sub-URLs" which are are subsumed by shorter
# ones but keep them in the list in case one would like to be more precise
# and remove the subsuming URL in the future.
print "# --------------------------------------------------------------------------\n";
print "# Use the perl script 'kiddie_be_gone.pl' to generate the contents below,\n";
print "# which are included by httpd.conf\n";
print "# Even easier, use ~qq/httpd/kiddie_be_gone/install_kiddie_be_gone.sh\n";
print "# \%COPYMARK%\n";
print "# --------------------------------------------------------------------------\n";
#
# Some URLs in scan attacks are actually used by us! We allow them here.
#
# @allowed = ( '/administrator', '/main.php' );
@allowed = ();
%allowed = map { $_, 1 } @allowed;
{
my $earlier = "";
foreach my $entry (sort @gone) {
# Eliminate duplicates, which is easy as the list is sorted
if ($earlier eq $entry) {
print STDERR "Duplicate 'gone' entry '$entry'; skipping it\n";
}
else {
$earlier = $entry;
if ($entry =~ /^(.*)\/$/) {
print STDERR "Terminating slash in '$entry'; removed slash\n";
$entry = $1;
}
if ($allowed{$entry}) {
#
# Some URLS in scan attacks are actually used by us! Filter them out
#
}
else {
#
# Return a "410" - redirect gone
#
# See "http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirect" redirect instruction
# Access to URLs yields error 410 - "Resource gone, no forwarding address"
#
# It would be cool to return a custom error code "444" - probe URL for example, but that
# does not seem to be possible.
#
print "Redirect gone $entry\n";
}
}
}
}
#
# Once again, for "RedirectMatch"
#
{
my $earlier = "";
foreach my $entry (sort @goneMatch) {
if ($earlier eq $entry) {
print STDERR "Duplicate 'goneMatch' entry $entry\n";
}
else {
$earlier = $entry;
print "RedirectMatch gone $entry\n";
}
}
}
#######################################################################################
# Function to set up the URLs to which one responds "gone".
#
# "/\.ht" matches URLS which contain "/.ht", e.g. "/.htaccess"
# "/\.svn/" matches URLS which contain "/.svn/", i.e. anything requesting stuff under .svn
# "/\.svn$ matches URLs which terminate in "/.svn", i.e. the request for the dir itself
# (What about requests for "encoded" URLs? like "/.s%76n/"? They seem to be caught, too)
#
# This list is at the end of the script for easier editing and subsequent appending
# using the usual Unix text processing tools.
#
# Use "sort --unique" on the array to manually recreate the list.
#######################################################################################
sub makeGoneArray {
my @series1 = qw(
.ftpconfig
.remote-sync.json
.vscode/ftp-sync.json
/%c0%ae/WEB-INF/web.xml
/*
/..
/..%5c..%5cwinnt
/...
/../../../../../../../../../../etc/passwd%00
/.env
/.ftpconfig
/.git/config
/.idea/workspace.xml
/.remote-sync.json
/.vscode/ftp-sync.json
/10/Classes/Language.php
/2phpmyadmin
/3rdparty
/404.php
/;jsessionid
/AZ.php
/Afaria/Account/Login.aspx
/BB
/BBS1
/BBS2
/BE_config.php
/BFormMail.pl
/Blog
/CFIDE
/CHANGELOG.txt
/Cdma-cat.html
/Count-cat.html
/FastHTTPAuthScanner200test
/Forms/access_cwmp_1
/Forum
/Forums
/HNAP1
/Horde
/Http/DataLayCfg.xml
/IDC.php
/JS/jquery.uploadify-v2.1.0/uploadify.css
/Joomla
/M83A
/MSADC
/MSOffice
/MSOffice/cltreq.asp
/MyAdmin
/MySQLAdmin
/MySQLDumper
/NULL.IDA
/NULL.ida
/NULL.idq
/NULL.printer
/Net_work.xml
/OA_HTML/OA.jsp
/OPAC-kpwinSQL
/PBServer
/PHPMYADMIN
/PHPmyadmin
/PMA
/PMA2005
/PMA2011
/PMA2012
/Public/uploadify/uploadify.css
/README
/RemoteControl.html
/Ringing.at.your.dorbell!
/Robots.txt
/Rpc
/SQL
/SQLite
/SQLiteManager
/SQLiteManager-1.2.4
/SQlite
/SSLMySQLAdmin
/Security/users
/SiteMap.xml
/SugarCRM
/Support.aspx
/UD/act
/UlisseREST/api/actions/RequestActionsToExecute
/User/UserZone/School/Download.aspx
/UserSecurityController.do
/WEB-INF/web.xml
/WS_FTP.LOG
/Wordpress
/\x85\x04\bsoapCaller.bs
/_admin
/_asterisk
/_mem_bin
/_mmServerScripts/MMHTTPDB.php
/_phpMyAdmin
/_phpmyadmin
/a.asp
/a2billing
/a2billing/admin/Public/modules
/a2billing/customer/javascript/misc.js
/achievo
/addons/uploadify/uploadify.css
/adm
/admin
/admin.cgi
/admin/config/config.inc.php
/admin/includes/general.js
/admin/phpmyadmin2/index.php
/admin/scripts/setup.php
/admin_modules
/admindump
/administrator
/administrator.cgi
/adminsql
/admm
/admn
/adsamples
/agSearch
/agenda.php3
/agenda2.php3
/apache-default
/apc-aa
/api/soap/mantisconnect.php
/app/Mage.php
/appConf.htm
/apps
/appserv/main.php
/assets
/aws
/awstats
/awstats-cgibin
/awstats.pl
/awstatstotals
/awstatstotals.php
/axis2
/axis2/axis2-admin
/azenv.php
/b2b/admin/includes/stylesheet.css
/backup
/backups
/backuptool
/bak
/bb
/bbs
/bck
/bin/msgimport
/bk
/bkup
/blog
/blogs
/board
/boards
/bocadmin/j/custom.js
/bug/login_page.php
/bugtracker/login_page.php
/bulletinboard
/bulletinboards
/butik
/c
/c99.php
/c:%5c
/cache
/cacti/graph_view.php
/cacti/plugins/weathermap/editor.php
/cart
/cas/login.action
/catalog/admin/includes/stylesheet.css
/caucho-status
/cc
/centreon
/cgi
/cgi-bin
/cgi-bin-sdb
/cgi-bin/..
/cgi-bin/azenv.pl
/cgi-bin/cgiip.exe/WService=wsbroker1/webutil/ping.p
/cgi-bin/check.bat
/cgi-bin/image.php
/cgi-bin/ip1.cgi
/cgi-bin/judge.cgi
/cgi-bin/php3
/cgi-bin/prxjdg.cgi
/cgi-bin/sendtemp.pl
/cgi-bin/vhost.php
/cgi-bin/wsasp.dll/WService=wsbroker1/webutil/ping.p
/cgi-bin/wsisa.dll/WService=wsbroker1/webutil/ping.p
/cgi-bin/wsnsa.dll/WService=wsbroker1/webutil/ping.p
/cgi-bin2
/cgi-local
/cgi_wrapper
/chat
/chat1
/chat2
/chat3
/chi-bin
/class
/cmd.php
/cms
/cnet/dynamic/presentation/net_1/downloaddelegate.down
/command.php
/common
/community
/components
/components/com_roundcube/CHANGELOG
/computer
/config
/configuration_administrator
/console/login/LoginForm.jsp
/content
/cpadmin
/cpadmindb
/cpanelmysql
/cpanelphpmyadmin
/cpanelsql
/cpdbadmin
/cpphpmyadmin
/createemails.inc.php
/crm
/css/uploadify.css
/ctc/servlet/ConfigServlet
/cube
/cube/bin/msgimport
/current_config/Account1
/currentsetting.htm
/cvs
/d
/data/plugin/uploadify/uploadify.css
/data_dump
/database
/databaseadmin
/db
/db/js/keyhandler.js
/db/mysql/main.php
/db/pma/main.php
/db/scripts/setup.php
/db/sql/main.php
/db9
/dbadmin
/dbadmin/config/config.inc.php
/dbdumper
/dbsich
/dbtw-wpd
/default.ida
/deployment-config.json
/deploymentmanager/index.jsp
/discussion
/dmp
/dmpr
/dns
/doLogin.do
/docs
/domains
/download.ashx
/downloader/index.php
/downloads
/drupal
/dump
/dumper
/ecommerce/admin/includes/stylesheet.css
/ehcp
/email/README
/enpadmin/ValidateUser.jsp
/eshop/admin/includes/stylesheet.css
/estadisticas
/etc/lib/pChart2/examples/imageMap/index.php
/examples/jsp/cal/cal2.jsp
/examples/servlets/servlet/SessionExample
/exchange
/exec_raw.php
/ezformml.cgi
/fastenv
/favicon.ico
/feed
/flash_upload.php
/fmail.pl
/formmail.cgi
/foros
/forum
/forum2
/forum3
/forums
/fqa3snue.cfc
/freepbx
/galaxy_
/gallery
/gb
/getip.php
/global
/globals.php3
/guestbook/guestbook.html
/him.php
/hndUnblock.cgi
/home.action
/home.do
/horde
/horde-3.0.5
/horde-3.0.6
/horde-3.0.7
/horde-3.0.8
/horde-3.0.9
/horde2
/horde3
/htdocs
/html/languages/es_es/main.js
/httdocs
/http
/hudson
/if%20youve%20had%20a%20dose%20of%20a%20freaky%20ghost
/iisadmpwd
/inc/jquery/uploadify/uploadify.css
/include/lib/js/uploadify/uploadify.css
/index.action
/index.cgiupgrade_album.ph
/index.do
/index.login.action
/index.php
/index.phtml
/index;jsessionid
/info.php
/intl
/invoker
/invoker/JMXInvokerServlet
/ip.cgi
/ip.php
/ip1.cgi
/issue/login_page.php
/issuetracker/login_page.php
/jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp
/jcms/m_5_1/que_chooseusers.jsp
/jcms/m_5_b/selmulti_column.jsp
/jcms/m_5_e/module/voting/opr_voting_modal.jsp
/jenkins/login
/jenkins/script
/jmx-console
/joke
/joomla
/jos.php
/js
/judge.php
/judge112233.php
/language/Swedish
/lib
/lib_gor
/libs
/local-bin/php
/local-bin/php5
/login
/login!check.do
/login.action
/login.cgi
/login.do
/login.html
/login.lua
/login_anon.php
/loginback.jpg
/magmi
/mail
/mail/bin/msgimport
/mail2
/mails/README
/mailz/README
/main.action
/main.do
/main.php
/mambo
/mambots
/manager
/mantis/login_page.php
/mantisbt/login_page.php
/map.xml
/members
/menuBcm.js
/moadmin.php
/mod_cbsms_messages.php
/modules
/msadc
/msd
/msdac
/msdadmin
/msdump
/msdump0
/msgboard
/mss
/mss2
/mss2/bin/msgimport
/mt-comments.cgi
/muieblackcat
/my
/my-sql
/myAdmin/config/config.inc.php
/myAdmin/scripts/setup.php
/mySqlDumper
/myadmin
/myadmin/config/config.inc.php
/myadmin/scripts/setup.php
/mysql
/mysql-admin
/mysql/config/config.inc.php
/mysql/scripts/setup.php
/mysqladmin
/mysqladmin/scripts/setup.php
/mysqladminconfig
/mysqld
/mysqldadmin
/mysqldmp
/mysqlmanager
/nagiosxi/login.php
/nar
/negozio/admin/includes/stylesheet.css
/new-visitor.inc.php
/newboard
/newboards
/newmail
/nice%20ports%2C/Tri%6Eity.txt%2ebak
/ok
/openwebmail
/p
/p/m/a/config/config.inc.php
/pHpMy
/pHpMyAdMiN
/pMA
/padmin
/panel/phpmoadmin/moadmin.php
/php
/php-my-admin
/php-my-admin/config/config.inc.php
/php-myadmin
/php-ofc-library/ofc_upload_image.php
/phpAlbum
/phpBB
/phpBB2
/phpLDAPadmin
/phpMoAdmin/moadmin.php
/phpMyA
/phpMyAdmi
/phpMyAds
/phpMyChat
/phpMyadmin
/phpTest
/phpTest/zologize/axa.php
/phpThumb
/phpThumb.php
/phpadmin
/phpadmin/js/keyhandler.js
/phpadmin/scripts/setup.php
/phpalbum
/phpbb
/phpdb
/phpgroupware
/phpldapadmin
/phpm
/phpma/scripts/setup.php
/phpmanager
/phpmoadmin/moadmin.php
/phpmy
/phpmy-admin
/phpmyAdmin
/phpmya
/phpmyad
/phpmyad-sys
/phpmyadmin
/phpmyadmin1
/phpmyadmin2
/phpmyadmin3
/phpmyadmin4
/phppath/php
/phppath/php5
/phppgadmin
/phppma
/plugins/weathermap/editor.php
/plus/ajax_street.php
/pma
/pma/scripts/setup.php
/pma2005
/pma2011
/pma2012
/pmadmin
/pmwiki
/pmwiki.php
/pmwiki2
/portal
/pp
/ppmwiki
/pr.php
/presse
/profilemanager
/prog/get_composer_att.php
/program
/projects/login_page.php
/proxy
/proxy-1.php
/proxyheader.php
/public/js/uploadify/uploadify.css
/qql
/r
/r57.php
/rc
/readme.html
/recordings
/redirect.aspx
/redirect.php
/reports/rwservlet/showenv
/resin-doc
/resin-doc/examples/ioc-periodictask/viewfile
/resin-doc/examples/quercus-hello/viewfile
/resin-doc/resource/tutorial/jndi-appconfig/test
/resin-doc/viewfile
/rms
/robots.txt
/rom-0
/root
/round
/round/bin
/roundcube
/roundcube-0.1
/roundcube-0.2
/roundcubemail
/roundcubemail-0.1
/roundcubemail-0.2
/s-cgi
/samples
/sap/hana/xs/wdisp/admin
/scgi
/scgi-bin
/scoreboard
/script
/scripts
/scripts/..
/scripts/ideabox/include.php
/scripts/image.php
/scripts/include/sql.php
/scripts/ncbook/ncbook.cgi
/scripts/newsdesk.cgi
/scripts/sendtemp.pl
/scripts/vhost.php
/seeyon/management/status.jsp
/send_emails.inc.php
/server-status
/sftp-config.json
/shopdb
/shownews.action
/shownews.do
/sicherung
/siemens
/sitemap.xml
/skin/adminhtml
/skin/frontend/default/default/css/styles.css
/sl2
/soapCaller.bs
/solr/admin/file
/sphpblog/config/password.txt
/sql
/sqladmin
/sqldumper
/sqlite
/sqlitemanager
/sqlmanager
/sqlweb
/sqlweb/config/config.inc.php
/squirrelmail/CHANGELOG
/ssa
/stat
/staticfiles
/stats
/stoma.php
/struts/webconsole.html
/stssys.htm
/stuff
/sugar
/sugarcrm
/suitecrm
/sumthin
/templets/default/style/dedecms.css
/test
/textenv.pl
/themes/elastixneo/ie.css
/thisdoesnotexistahaha.php
/thumb
/tikiwiki/vendor_extra/elfinder/elfinder.html
/tmUnblock.cgi
/tmp
/toindex.action
/toindex.do
/track
/tracker/login_page.php
/translators.html
/trix/soapCaller.bs
/trixbox/soapCaller.bs
/twiki/bin/view/Main/WebSearch
/twiki/vendor_extra/elfinder/elfinder.html
/typo3
/ugboard
/ugboards
/unAuthorizedAccess.action
/undergraduate
/underground
/uploadify.css
/uploadify/scripts/uploadify.css
/uploadify/uploadify.css
/usage
/user/login
/user/soapCaller.bs
/user/templates/footer.tpl
/util_gw.js
/vc/vc/columncount/tem/downfile.jsp
/vegadns
/vendor_extra/elfinder/elfinder.html
/vhcs2
/vhcs2/domain_default_page/index.html
/vhcs2/soapCaller.bs
/vhosts
/vtigercrm
/w
/wbb2
/web
/web-console
/web-console/ServerInfo.jsp
/webadmin
/webdav
/webdb
/webmai
/webmail
/webmail2
/websql
/webstats
/wiki
/wikipedia
/wikka.php
/wm
/wordpress
/workflow-activities.php
/wp
/wp-content
/wp-login.php
/wp-phpmyadmin
/www
/wwwroot
/xampp
/xxgk/m_6_1/opr_modal.jsp
/xxxxxxxxxxxxx.action
/zabbix
/zadmin
/|~.aspx
/~
/~root
deployment-config.json
http://testp3.pospr.waw.pl/testproxy.php
sftp-config.json
wls-wsat/CoordinatorPortType);
# This one cannot be put into a qw list:
@extras = ('/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz');
return uniq sort(@series1, @extras)
}