identifying threats and dealing with the appropriately

Discussion in 'Server Operation' started by blinky, Nov 11, 2012.

  1. blinky

    blinky Member

    I'm very new to Ubuntu, so installing my own home-based web, file and mail server has been a truly incredibly fascinating experience. I'mve been amazed at the sheer number of hits my web server gets and I haven't told a sould it's up and running. (Other than my domain name registrar.)

    Anyways, while having my tea after lunch today I happend to have a window open that was monitoring Apache's access.log as I've been trying to eliminate a variety of bots lately.

    Anyways, as I'm sitting there sipping my tea the screen is suddenly a flurry of activity and the following spews across the screen until I temporarily shut down the Apache server:
    Code:
    149.3.152.246 - - [11/Nov/2012:12:34:26 -0500] "GET /index.php HTTP/1.1" 404 392 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/pma/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/phpmyadmin/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /db/index.php HTTP/1.1" 404 394 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /dbadmin/index.php HTTP/1.1" 404 398 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /myadmin/index.php HTTP/1.1" 404 398 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:29 -0500] "GET /mysql/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:29 -0500] "GET /mysqladmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 404 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /phpadmin/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /phpMyAdmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin/index.php HTTP/1.1" 404 399 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin1/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin2/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /pma/index.php HTTP/1.1" 404 395 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 403 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 403 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /web/index.php HTTP/1.1" 404 395 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /php-my-admin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /websql/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpmyadmin/index.php HTTP/1.1" 404 399 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpMyAdmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpMyAdmin-2/index.php HTTP/1.1" 404 402 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /php-my-admin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.4/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:38 -0500] "GET /phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 404 410 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:38 -0500] "GET /phpMyAdmin-2.5.6-rc2/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.6/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.7/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:40 -0500] "GET  HTTP/1.1" 400 226 "-" "-"
    Er... um... hello? WTF?

    As near as I can figure out, something at 149.3.152.246 is banging away at my server trying to access phpMyAdmin but my server is configured such that it's at least sending back 404 error... if I'm reading this right.

    I an plop that IP address in a "Deny from" statement in an .htaccess file, I can block it on the router, but I would have thought something like fail2ban would have caught this.

    Hmmmm... the fact that someone would try to access this piddly system is more amusing than the fact that I feel compelled to actually do anything about it.

    What the best way to deal with this sort of stuff?
     
    blinky, Nov 11, 2012
    #1
  2. pititis

    pititis Member

    Hello,

    Yes, it's really annoying. Best way to deal with scan drones and crap with apache?... I must say modsecurity + crs (core rule set). ModSecurity is a web application layer firewall. Modsecurity have tons of rules, you will find the base rules, optional and experimental (there are many third party rules too).

    I'm using some rules from the base set. Now in ubuntu 12.04 you can install the module for apache and the core rule set with:

    Code:
    apt-get install modsecurity-crs
    To deal with the configuration file can be hard but you will find a recommended configuration file.

    Cheers!
     
    Last edited: Nov 12, 2012
    pititis, Nov 12, 2012
    #2

Share This Page