From b867fff3b1fc8de6e2d84230433c73e5aa25470d Mon Sep 17 00:00:00 2001 From: Art Cancro Date: Thu, 8 Jan 2009 17:34:36 +0000 Subject: [PATCH] * Updated is_bogus() with an exploit I happen to be seeing a lot of today. --- webcit/context_loop.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/webcit/context_loop.c b/webcit/context_loop.c index dab22a9de..0248c384f 100644 --- a/webcit/context_loop.c +++ b/webcit/context_loop.c @@ -205,28 +205,26 @@ int lingering_close(int fd) -/** - * \brief sanity requests - * Check for bogus requests coming from brain-dead Windows boxes. - * - * \param http_cmd The HTTP request to check +/* + * Look for commonly-found probes of malware such as worms, viruses, trojans, and Microsoft Office. + * Short-circuit these requests so we don't have to send them through the full processing loop. */ int is_bogus(StrBuf *http_cmd) { const char *url; int i, max; const char *bogus_prefixes[] = { - "/scripts/root.exe", /**< Worms and trojans and viruses, oh my! */ + "/scripts/root.exe", /* Worms and trojans and viruses, oh my! */ "/c/winnt", "/MSADC/", - "/_vti", /**< Broken Microsoft DAV implementation */ - "/MSOffice" /**< Stoopid MSOffice thinks everyone is IIS */ + "/_vti", /* Broken Microsoft DAV implementation */ + "/MSOffice", /* Stoopid MSOffice thinks everyone is IIS */ + "/nonexistenshit" /* Exploit found in the wild January 2009 */ }; url = ChrPtr(http_cmd); if (IsEmptyStr(url)) return(1); ++url; - max = sizeof(bogus_prefixes) / sizeof(char *); for (i=0; i