Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User Lethe
(fountain of knowledge) Fri 31-Jan-14 13:14:10
Print Post

httpd server and PHP scans etc.


[link to this post]
 
For ages now, I have been seeing PHP scans on my httpd web server:

Text
1
23
45
176.53.65.28 - - [31/Oct/2013:01:53:23 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226
176.53.65.28 - - [31/Oct/2013:01:53:24 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226176.53.65.28 - - [31/Oct/2013:01:53:24 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 219
176.53.65.28 - - [31/Oct/2013:01:53:24 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 223176.53.65.28 - - [31/Oct/2013:01:53:24 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 223


is typical. Although from December there appeared a 'new' bot that tried hundreds of PHP (and other stuff) vulnerabilities and lasted over 5 minutes.

So I got fed-up with this using my bandwidth, so coded a short script using the excellent IPSET add-on for IPTABLES.

I tail the httpd access_log and as soon as one of these requests come in, add the IP to the ipset group which is dropped immediately smile

Now, something strange has happened. After running this for 3 days, these 'scans' have dropped from two to three every 2 hours, to almost ZERO in the last 24 hours... this leads me to believe the infected machines running these bots must report back to 'bot control centre' and flag the bot network to drop my IP as it is unresponsive and a waste of resource. Google doesn't reveal much on this issue.

Anyway, I wish I done this ages ago.

Nick
Standard User caffn8me
(knowledge is power) Fri 31-Jan-14 17:09:41
Print Post

Re: httpd server and PHP scans etc.


[re: Lethe] [link to this post]
 
I tend to put a redirect on this sort of thing back to 127.0.0.1 wink

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Lethe
(fountain of knowledge) Fri 31-Jan-14 20:41:20
Print Post

Re: httpd server and PHP scans etc.


[re: caffn8me] [link to this post]
 
That just redirects and costs cpu - ipsets is FAST and drops in an instant without overheads.

No hits now for over 36 hours.

http://ipset.netfilter.org/index.html

http://daemonkeeper.net/781/mass-blocking-ip-address...

Nick


Register (or login) on our website and you will not see this ad.

Standard User caffn8me
(knowledge is power) Fri 31-Jan-14 22:12:42
Print Post

Re: httpd server and PHP scans etc.


[re: Lethe] [link to this post]
 
I can't say I've seen any performance hit and looking through my access log I've not had a single phpmyadmin hit since the log started in September 2012.

One of these days I'll set up Snort to detect rogue access attempts which the firewall (external hardware) can then block automatically.

The biggest number of unwanted hits comes from a company which has paid for Google AdWords but has mistakenly used my website address. 11.893 hits so far and rising

I wonder how much that cost them smile

SMTP seems to attract much more 'rubbish' with 1800+ emails rejected at server level last week using Spamassassin and Mimedefang. The false positive rate is incredibly small as is the false negative rate.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Lethe
(fountain of knowledge) Sat 01-Feb-14 13:50:54
Print Post

Re: httpd server and PHP scans etc.


[re: caffn8me] [link to this post]
 
I am only really concerned with httpd scans really - they are the ones that cost the most - and using ipsets really has knocked them on the head (I also detect dodgy telnet requests too now).

I use postfix with blackhole lists/country IP ban lists, so mail server is clever enough, and shh is tied down so I get no attacks on that.

One thing I do find funny after analysing logs, is the PHP scan stuff drops off anyway over the weekend... and starts again early Monday morning through to Friday night - which leads me to believe a lot of peoples work machines are infected, and it all starts when they get to work and boot up!

Nick
  Print Thread

Jump to