Hi all, I have this entries in my apache log. Anyone an idear what this is? 203.236.245.154 - - [18/Dec/2001:21:23:54 +0100] "GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205 Thanks Armin
Yes; Code red.. I wrote myself a little script to block all those hosts trying certain url's. It's on http://antinimda.hafnet.com for download. It also shows the amount of hosts blocked. It's amazing how many blocks I have already... ----- Original Message ----- From: <abaesche@worklab.de> To: <suse-security@suse.com> Sent: Friday, December 21, 2001 10:14 Subject: [suse-security] Entriy in apache log
"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
The script blocks the hosts by adding them to the ipchains IP filter. You'll have to have it in order for it to work. ;-) When a host is blocked, it cannot surf to your box using port 80 anymore. So no more entries or hacking can be done on that port on your box. Rogier ----- Original Message ----- From: "Bob B" <n1uan@bridgenettn.com> To: "Rogier Maas" <icarus@hafnet.com> Cc: <suse-security@suse.com>; <abaesche@worklab.de> Sent: Friday, December 21, 2001 11:44 Subject: Re: [suse-security] Entriy in apache log
Well, if you have ipchains, the script can use it. There's no harm in trying! If you need any help setting it up (which is fairly easy) or anything else, just mail me; I'd be happy to help out where I can. Rogier ----- Original Message ----- From: "Bob B" <n1uan@bridgenettn.com> To: "Rogier Maas" <icarus@hafnet.com> Cc: <suse-security@suse.com>; <abaesche@worklab.de> Sent: Friday, December 21, 2001 11:54 Subject: Re: [suse-security] Entriy in apache log
(Sorry, wasn't able to reply earlier due to a nameserver being down) Yes, that is very true. In fact, it wouldn't make sense at all to block them, unless the 'attacker' (which is an automated script running on a winblows box; the user doesn't even know it's there) is -really- attacking you. He'll soon find out that you aren't running an IIS server and either stop hacking or switch to 'Linux-mode', trying the Apache bugs. That should take him at least 2 or 3 seconds, then he is done, since there are maybe 1 or 2 'bugs' in Apache. ;-) I wrote this script to: - Learn bash - Learn ipchains - Have an excuse to make another webpage - Get those lame entries 'outta my accesslog' A filter between Apache and the accesslog would do fine too. Just pipe the log to a filter (using grep -v to show all line without the words you specify) and have the output written to the access_log. The advantage would be: no long listing of denied hosts, thus more speed, since ipchains has to go through all those entries onlt to find out it can let the packet through. Kind Regards, Rogier Maas ----- Original Message ----- From: "Markus Gaugusch" <markus@gaugusch.at> To: "Bob B" <n1uan@bridgenettn.com> Cc: "Rogier Maas" <icarus@hafnet.com>; <suse-security@suse.com> Sent: Friday, December 21, 2001 12:03 Subject: Re: [suse-security] Entriy in apache log
Hi, * Bob B wrote on Fri, Dec 21, 2001 at 06:00 -0500:
ok let me ask this first can i just have ipchains on the box without changing and routig
"ipchains" is a tool for configuring firewall rules. You don't need to change the routing table nor the color of the screensaver :)
etc that is set now as i wouldnt want to make an major overhaul!
Please be really careful with automatic blocking firewall scripts. Did you tested what happens when a proxy connects? Get the proxy blocked? What with the other people behind that proxy? And so on. Nimda cannot infect Linux via Apache, so you may decide to ignore it silently :) [130 lines cut] Please don't full quote the original mail. Write text under the text you are citing, and cite intelligently. Maybe you'll find some time to study the Nettiquette a little. Thank you. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (6)
-
abaesche@worklab.de -
Bob B -
Markus Gaugusch -
Rogier Maas -
Simon Oliver -
Steffen Dettmer