Hi, I have Ispconfig 3 running and I'm having troubles with a search box on a site running magento webshop. I get searches like Code: "arc welding rods/admin/s/password_forgotten.php?action='" "arc welding rods/admin/sqlpatch.php/password_forgotten.php?action=execute/admin/categories.php/login.php?cPath=" "arc welding rods/admin/sqlpatch.php/password_forgotten.php?action=execute/admin/sqlpatch.php/password_forgotten.php?action=execu" "arc welding rods/admin/sqlpatch.php/password_forgotten.php?action=execute/login.php" And if I look in the sites logs I can that they are trying to reach certain admin adresses (that I have moved). Code: 79.169.141.105 - - [08/Sep/2011:09:17:39 +0200] "GET /en/catalogsearch/result/?q=arc+welding+rods%2Fadmin%2Fsqlpatch.php%2Fpassword_forgotten.php%3Faction%3Dexecute/admin/file_manager.php/login.php HTTP/1.1" 200 35271 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)" 79.169.141.105 - - [08/Sep/2011:09:17:43 +0200] "GET /admin/file_manager.php/login.php HTTP/1.1" 404 1806 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)" 79.169.141.105 - - [08/Sep/2011:09:17:43 +0200] "GET /en/catalogsearch/result/admin/file_manager.php/login.php HTTP/1.1" 404 13154 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"" 79.169.141.105 - - [08/Sep/2011:09:18:13 +0200] "GET /en/catalogsearch/result/?q=arc+welding+rods%2Fadmin%2Fsqlpatch.php%2Fpassword_forgotten.php%3Faction%3Dexecute/admin/banner_manager.php/login.php HTTP/1.1" 200 35379 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)" 79.169.141.105 - - [08/Sep/2011:09:18:15 +0200] "GET /admin/banner_manager.php/login.php HTTP/1.1" 404 1806 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)" 79.169.141.105 - - [08/Sep/2011:09:18:16 +0200] "GET /en/catalogsearch/result/admin/banner_manager.php/login.php HTTP/1.1" 404 13162 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)" 79.169.141.105 - - [08/Sep/2011:09:18:15 +0200] "GET /en/catalogsearch/result/?q=arc+welding+rods%2Fadmin%2Fsqlpatch.php%2Fpassword_forgotten.php%3Faction%3Dexecute/admin/categories.php/login.php HTTP/1.1" 200 35211 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)" 79.169.141.105 - - [08/Sep/2011:09:18:19 +0200] "GET /admin/categories.php/login.php HTTP/1.1" 404 1806 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)" 79.169.141.105 - - [08/Sep/2011:09:18:19 +0200] "GET /en/catalogsearch/result/admin/categories.php/login.php HTTP/1.1" 404 13146 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)" Is there anyway for me to stop this everyday attack, it has been going on for a month now. Can I block the ip somehow? Will Snort help? I know it says that it's Baidu but that is spoofed.
You can block the IP using iptables: iptables -A INPUT -s 79.169.141.105 -j DROP This attacks are common... I think that modsecurity is the solution, I am working in the ruleset in order to implement in a near future for my sites.
