Thanks to Jonas Eckerman (http://www.truls.org/) for answering my request in a recent column for input rules for the Apache mod_rewrite module to make it work roughly like Microsofts UrlScan. Eckerman isnt familiar with UrlScan, but says these rules “stop a majority of worms and attacks against web servers.”
These rules cause Apache to return an HTTP 403 (“forbidden”) response for URLs which match (for example “http://www.truls.org/testing/cmd.exe?whatever”). Its not perfect or complete, but it does stop a lot.
RewriteEngine OnRewriteOptions inheritRewriteLog logs/rewrite_logRewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system32/(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system/(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system32/(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system/(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/cmd.exe[$|?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/scripts/root.exe[$|?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadc/root.exe[$|?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)..(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/admin.dll[$|?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadcs.dll[$|?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/ext.dll[$|?(.*)] [NC,OR] RewriteCond %{REQUEST_URI} (.*)/.(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/php.exe[$|?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)<(.*) [OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)>(.*) [OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)|(.*) [OR] RewriteCond %{REQUEST_URI} (.{255,}) [OR] RewriteCond %{QUERY_STRING} (.{127,}) [OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [x00-x1f]+ [OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [x7f|xff]+ RewriteRule (.*) http://monty.frukt.org/error/filtered.html [NC,F]