F19: Is this an httpd attack attempt?

Rick Stevens ricks at alldigital.com
Mon Mar 3 23:25:59 UTC 2014 

On 03/03/2014 02:06 PM, eoconnor25 at gmail.com issued this missive:
> What's the best way to avoid/prevent this from happening?...

Since the IP is part of a Turkish /24 network, odds are it's a hack
attempt. If you don't care about servicing Turkey, you could block that
IP space in your firewall. Pertinent information:

inetnum:        185.4.227.0 - 185.4.227.255
netname:        SAYFANET
descr:          Istanbul DC Customer
country:        TR
admin-c:        KSM20-RIPE
tech-c:         KSM20-RIPE
status:         ASSIGNED PA
mnt-by:         ER101-MNT
source:         RIPE # Filtered

("whois 185.4.227.194" will give you the gory details), so add that /24
to your filter list. In the old days:

	iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP

It's difficult to weed out traffic selectively unless you have the
ability to do a deep packet inspection and look at the actual request.
Generally that equipment costs a good deal of $$$$.

> ----- Reply message -----
> From: "Mark Haney" <mhaney at practichem.com>
> To: <users at lists.fedoraproject.org>
> Subject: F19: Is this an httpd attack attempt?
> Date: Mon, Mar 3, 2014 11:59 am
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 03/03/14 11:42, Dan Thurman wrote:
>  >
>  > It looks to me like a successful indirect connection?
>  >
>  > The following is taken from /var/log/httpd/access_log
>  >
>  > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET
>  > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA
>  >
>  >
> HTTP/1.1" 200 5264 "-" "-"
>  >
>
> It certainly looks that way.  I see several of those kinds of GETs a
> day on our web servers.  Not from that particular domain, but similar
> types of GETs.
>
> A quick google points to similar GET requests to that domain as far
> back as 2011, and the domain itself isn't live, just a placeholder for
> parked domain.
>
> - --
> Mark Haney
> Network/Systems Administrator
> Practichem
> W: (919) 714-8428
> Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s
> AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk
> q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW
> o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx
> VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5
> hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ=
> =nqC7
> -----END PGP SIGNATURE-----
>
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
>


-- 
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- Millihelen (n): The amount of beauty required to launch one ship.  -
----------------------------------------------------------------------

More information about the users mailing list