Home / server / Questions / 364498
In Process
Josh
Asked: 2012-02-29 06:55:57 +0800 CST

Block certain filetypes and values found in the url in IIS

  • 772

I have someone who is not supposed to be scanning my site attempting to exploit some php vulnerabilities. I have started blocknig their IP's but more than one person is doing it, and each request causes a server error, which triggers an error report into my inbox. Over the last 3 days, I have had almost 2000 emails every night.

We are a .net shop and do not have any php in the site they are attacking. I want to block all requests for .cgi, .php, and .ini filetypes. This is easy enought in File Name Extensions inside of Request Filtering in IIS. That handles requests like this one:

http://mydomain.com/bin/script/cat_for_gen.php?ad=1&ad_direct=../&m_for_racine=%3C/option%3E%3C/SELECT%3E%3C?phpinfo();?%3E

My problem is an exploit they are trying to use around an error page:

http://mydomain.com/Error/NotFound?404;https://portal.ftnirdc.com:443/bin/webspirs.cgi?sp.nextform=../../../../../../../../../etc/passwd

So for this one, I just want to look in the url and if .cgi is found, block the request. How would I do this? I may also want to block requests that have ../ in them.

security iis-7.5 request-filtering

1 Answers

  1. Looks like you could do something like this:

    <configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <denyUrlSequences>

      <add sequence=".."/>

    </denyUrlSequences>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

    Which should filter anything with ".." in the request.

    Ref: http://learn.iis.net/page.aspx/143/use-request-filtering/

    It is a game of whack a mole, so try not to go too nuts making tons of filters :).

    • 0