Re: [mod-security-users] ad-on for mod_security
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ad-on for mod_security
|
From: Jason E. <jed...@ca...> - 2006-01-04 14:01:06
|
On an interesting , but possibly relevant note: I've noticed that the number of web spam attempts on my server has dropped by 90% since Jan 2. I'm not sure if this is relevant or not. Just thought I would share. Jason dubai wrote: >to your information see: >https://events.ccc.de/congress/2005/wiki/Gulliddos >---------- >Hi there, > >We now get Step2 of the ddos! We get udp-floods to >port 80. We have currently no own router in front of, >so we cant block the requests. Services on all >websites (antispam, computerbetrug and antispam) down >for 1-2 hours. Update: Our ISP is blocking the >udp-flood for us. > >[1] is the biggest german "underground portal". We and >3 other german customer protection websites >(dialerschutz.de, antispam.de and computerbetrug.de) >get currently a big ddos by an unknown attacker. We >have collected a lot of information, and want to make >them public here. > >It seems that the attacker build a botnet with about >5.000 zombies. We found a way to identify most of the >affected hosts. Now we blacklist all those hosts by >hi-pac (an iptables-replacement), so the site is still >up. > >Here is a list with all clients we currently block: >https://events.ccc.de/congress/2005/mediawiki/images/a/a1/Ipliste.txt > >(anyone knows how to upload some stuff with no >"/images" in the url? :) ) > >Our current setup includes the following: > >mod_security is activated in apache. Then we do the >following match: > >SecFilterEngine On SecFilterSelective "FOOBAR" >"uninteresting" >"log,status:500,exec:/usr/local/bin/mod_security/wrapper" > >/usr/local/bin/mod_security/wrapper is an modified >wrapper, which gets the ip of the attacker as an >argument. Those ips are added to our blacklist with >iptables. > > >The most of those hosts should be owned by some >rootkit or trojan horse. So feel free to investigate. >Maybe something interessting is there ;-) > > >If you have some questions or informations: contact >deg...@ja... or icq 169800965 or mail: >cd...@wa... > > >Our new wrapper is available at >http://download.wavecon.de - its gpl, so use it! :) > > > > > > >___________________________________________________________ >Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de > > >------------------------------------------------------- >This SF.net email is sponsored by: Splunk Inc. Do you grep through log files >for problems? Stop! Download the new AJAX search engine that makes >searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > |
