On Thu, 2005-11-10 at 09:12 -0800, Daniel B. Thurman wrote:
> /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /blog/xmlrpc.php: 1 Time(s)
> /blog/xmlsrv/xmlrpc.php: 1 Time(s)
> /blogs/xmlsrv/xmlrpc.php: 1 Time(s)
> /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
> /drupal/xmlrpc.php: 1 Time(s)
> /favicon.ico: 1 Time(s)
> /phpgroupware/xmlrpc.php: 1 Time(s)
> /wordpress/xmlrpc.php: 1 Time(s)
> /xmlrpc.php: 2 Time(s)
> /xmlrpc/xmlrpc.php: 1 Time(s)
> /xmlsrv/xmlrpc.php: 1 Time(s)
>
There's a script floating around. I have seen the same sequence
repeatedly. Favicon.ico is not a hack. It's looking for the default URL
icon which you might want to create.
1. Modsecurity is a nifty tool but at the cost of memory, cycles and
httpd response speed.
2. You can have swatch watch the logs and add rules to IPTables based on
regular expressions. Swatch is a perl script that is economical to use
and does not interfere with HTTPD. Since many people have difficulty
with swatch, I'll give you my command line:
/usr/bin/swatch --use-cpan-file-tail \
--config-file=/etc/swatch.conf --daemon \
--awk-field-syntax --tail-file=/var/log/httpd/access_log
Works for me - YMMV
3. If you are running awstats, make sure that you have the most recent
version. Even then, I have it password protected via httpd.conf.
4. Snort is the best intrusion detector around. The default rules are a
tad paranoid. Snort does have a rather large footprint.
5. The best GUI to iptables (IMO) is webmin.
6. If it makes you feel better, you can make permanent redirects of
repeated hacks to your own "FBI" or "Law Enforcement" page. eg: Redirect
permanent /blog /hack.htm
--
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com/spam_trap.htm
RBLDNSD HowTo: http://www.TQMcube.com/rbldnsd.htm
Multi-RBL Check: http://www.TQMcube.com/rblcheck.htm
Tired of spam? Do YOUR part: http://www.BoulderPledge.org
