httpd server and PHP scans etc.

For ages now, I have been seeing PHP scans on my httpd web server:

Text

1 23 45

176.53.65.28 - - [31/Oct/2013:01:53:23 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 176.53.65.28 - - [31/Oct/2013:01:53:24 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226176.53.65.28 - - [31/Oct/2013:01:53:24 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 219 176.53.65.28 - - [31/Oct/2013:01:53:24 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 223176.53.65.28 - - [31/Oct/2013:01:53:24 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 223

is typical. Although from December there appeared a 'new' bot that tried hundreds of PHP (and other stuff) vulnerabilities and lasted over 5 minutes.

So I got fed-up with this using my bandwidth, so coded a short script using the excellent IPSET add-on for IPTABLES.

I tail the httpd access_log and as soon as one of these requests come in, add the IP to the ipset group which is dropped immediately

Now, something strange has happened. After running this for 3 days, these 'scans' have dropped from two to three every 2 hours, to almost ZERO in the last 24 hours... this leads me to believe the infected machines running these bots must report back to 'bot control centre' and flag the bot network to drop my IP as it is unresponsive and a waste of resource. Google doesn't reveal much on this issue.

Anyway, I wish I done this ages ago.

Nick

I tend to put a redirect on this sort of thing back to 127.0.0.1

That just redirects and costs cpu - ipsets is FAST and drops in an instant without overheads.

No hits now for over 36 hours.

http://ipset.netfilter.org/index.html

http://daemonkeeper.net/781/mass-blocking-ip-address...

Nick

I can't say I've seen any performance hit and looking through my access log I've not had a single phpmyadmin hit since the log started in September 2012.

One of these days I'll set up Snort to detect rogue access attempts which the firewall (external hardware) can then block automatically.

The biggest number of unwanted hits comes from a company which has paid for Google AdWords but has mistakenly used my website address. 11.893 hits so far and rising

I wonder how much that cost them

SMTP seems to attract much more 'rubbish' with 1800+ emails rejected at server level last week using Spamassassin and Mimedefang. The false positive rate is incredibly small as is the false negative rate.

I am only really concerned with httpd scans really - they are the ones that cost the most - and using ipsets really has knocked them on the head (I also detect dodgy telnet requests too now).

I use postfix with blackhole lists/country IP ban lists, so mail server is clever enough, and shh is tied down so I get no attacks on that.

One thing I do find funny after analysing logs, is the PHP scan stuff drops off anyway over the weekend... and starts again early Monday morning through to Friday night - which leads me to believe a lot of peoples work machines are infected, and it all starts when they get to work and boot up!

Nick