Apache vulnerability?
Steven Stern
subscribed-lists at sterndata.com
Tue Nov 1 21:33:35 UTC 2011
On 11/01/2011 04:06 PM, Alex wrote:
> Hi,
>
> I thought someone might be familiar with apache and expected behavior
> to know whether the access_log entries below are attack attempts, or
> something less alarming. I'm seeing repeated entries like these from a
> handful of IP addresses at a time, all with 404 errors using "POST
> /index.php":
>
> 222.186.24.108 - - [01/Nov/2011:16:56:29 -0400] "POST /index.php
> HTTP/1.1" 404 7168 "http://www.example.com/index.php" "Mozilla/5.0
> (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 31508 7609
> 222.186.24.108 - - [01/Nov/2011:16:56:46 -0400] "POST /index.php
> HTTP/1.1" 404 7169 "http://www.example.com/index.php" "Mozilla/5.0
> (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 85912 7610
>
> Is this a known exploit attempt? The server has been responding
> slowly, and I believe this is partly the cause.
>
> How can I troubleshoot this further?
>
> Thanks,
> Alex
I've installed OSSEC and set a rule that drops an IP address for 30
minutes after 10 404s in a reasonably short time.
--
-- Steve
More information about the users
mailing list