[Dshield] A Couple of New Apache Hack Patterns

David Cary Hart DShield at TQMcube.com
Wed Dec 14 15:24:01 GMT 2005

. . . new for me anyway.

1. index2.php | index.php

302 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1;)"


HTTP/1.1" 301 562 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT

2. POST directly to the form mail php processing page. In other words,
something like contact.php is passed to, and processed by
ContactProc.php. The would-be spammer-hacker-miscreant is trying to
forward mail by eliminating the form entry page.

The strategy I am using these days is to SWATCH the patterns -> rewrite
rule to hacker.php -> firewall rule. The purpose of the interim
hacker.php is to provide information just in case of a false positive.
Hacker.php then writes a unique line to access_log which swatch
recognizes to trigger the firewall rule.

           Eliminate Spam: http://www.TQMcube.com/spam_trap.php
          Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
            Zombie Graphs: http://www.TQMcube.com/zombies.php
              GeoGraphics: http://www.TQMcube.com/origins.php

More information about the list mailing list