Apache vulnerability?
Alex
mysqlstudent at gmail.com
Tue Nov 1 22:59:02 UTC 2011
Hi,
>> I thought someone might be familiar with apache and expected behavior
>> to know whether the access_log entries below are attack attempts, or
>> something less alarming. I'm seeing repeated entries like these from a
>> handful of IP addresses at a time, all with 404 errors using "POST
>> /index.php":
>>
>> 222.186.24.108 - - [01/Nov/2011:16:56:29 -0400] "POST /index.php
>> HTTP/1.1" 404 7168 "http://www.example.com/index.php" "Mozilla/5.0
>> (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 31508 7609
>> 222.186.24.108 - - [01/Nov/2011:16:56:46 -0400] "POST /index.php
>> HTTP/1.1" 404 7169 "http://www.example.com/index.php" "Mozilla/5.0
>> (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 85912 7610
>>
>> Is this a known exploit attempt? The server has been responding
>> slowly, and I believe this is partly the cause.
>
> I've installed OSSEC and set a rule that drops an IP address for 30
> minutes after 10 404s in a reasonably short time.
Yes, I've implemented iptables to drop the attempts. I was really just
curious if it was a specific attack with a known pattern so I could
investigate further. fail2ban is great for things like this.
Thanks,
Alex
More information about the users
mailing list