[Dshield] Another web server attack
jayjwa at atr2.ath.cx
Sat Nov 19 18:49:11 GMT 2005
On Thu, 17 Nov 2005, lucy at lucindrea.com wrote:
-> ya , i've been seeing alot of 404's in my server log for /blog...(several
-> combos of paths) , now i know what it is.
-> > PHP code
-> > to existing script files that were group/world writable, which when
-> > executed
-> > would allow the web site to be used as an anonymizer for the purpose of
-> > accessing warez and other such undesireable stuff on a server in Russia
-> > (which
-> > apparently was a legit box, but had also been co-opted as a warez
-> > ditribution
-> > point.)
It's probably a good time to mention this again, seems like it should be quite
effective against this sort of attack:
1.9 as of this writing is current.
curl -O -v \
The src archive contains both Apache & APache2 code.
You can then filter for suspect requests, ex:
SecFilter "delete[[:space:]]+from" "deny,log,status:400"
SecFilter "insert[[:space:]]+into" "deny,log,status:400"
SecFilter "select.+from" "deny,log,status:400"
SecFilter "viewtopic.php" "deny,log,status:403"
SecFilter /etc/passwd "deny,log,status:403"
SecFilter /bin/bash "deny,log,status:403"
SecFilter /etc/shadow "deny,log,status:403"
Just be careful not to filter things that could appear in legit requests too.
/ / __ __ __ __ __ __ __ mail me for my *
/ /__ / / / \/ / / /_/ / \ \/ / * email address.
/_____/ /_/ /_/\__/ /_____/ /_/\_\ ::[ATr2 RG 2005]::
IF you have to request that people contact you via a WEBFORM
because you've blocked off virtually all smtp-sent email from
your own MTA ...You just might be guilty of DNS-RBL abuse.
More information about the list