Apache vulnerability?

Patrick Lists fedora-list at puzzled.xs4all.nl
Tue Nov 1 21:28:24 UTC 2011


On 11/01/2011 10:06 PM, Alex wrote:
[snip]
> 222.186.24.108 - - [01/Nov/2011:16:56:46 -0400] "POST /index.php
> HTTP/1.1" 404 7169 "http://www.example.com/index.php" "Mozilla/5.0
> (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 85912 7610

Don't know if it's an exploit. They are probably scanning web hosts for 
certain behavior/software. The originating IP is from China Telecom. I 
see a lot of probing and hacking attempts coming from that region. Quick 
and dirty solution if the website(s) on that server do not serve the 
Asian market: just block the offending IP ranges in your firewall and be 
done with it. Harsh but effective. You can find the IP ranges at 
ipdeny.com. Alternatively you could install something like fail2ban and 
make it detect these attempts in Apache logs and block the originating IP.

Regards,
Patrick


More information about the users mailing list