F19: Is this an httpd attack attempt?
Dan Thurman
dant at cdkkt.com
Tue Mar 4 01:40:48 UTC 2014
On 03/03/2014 05:11 PM, Dan Thurman wrote:
> On 03/03/2014 03:25 PM, Rick Stevens wrote:
>> On 03/03/2014 02:06 PM, eoconnor25 at gmail.com issued this missive:
>>> What's the best way to avoid/prevent this from happening?...
>>
>> Since the IP is part of a Turkish /24 network, odds are it's a hack
>> attempt. If you don't care about servicing Turkey, you could block that
>> IP space in your firewall. Pertinent information:
>>
>> inetnum: 185.4.227.0 - 185.4.227.255
>> netname: SAYFANET
>> descr: Istanbul DC Customer
>> country: TR
>> admin-c: KSM20-RIPE
>> tech-c: KSM20-RIPE
>> status: ASSIGNED PA
>> mnt-by: ER101-MNT
>> source: RIPE # Filtered
>>
>> ("whois 185.4.227.194" will give you the gory details), so add that /24
>> to your filter list. In the old days:
>>
>> iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP
>>
>> It's difficult to weed out traffic selectively unless you have the
>> ability to do a deep packet inspection and look at the actual request.
>> Generally that equipment costs a good deal of $$$$.
>>
>>> ----- Reply message -----
>>> From: "Mark Haney" <mhaney at practichem.com>
>>> To: <users at lists.fedoraproject.org>
>>> Subject: F19: Is this an httpd attack attempt?
>>> Date: Mon, Mar 3, 2014 11:59 am
>>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> On 03/03/14 11:42, Dan Thurman wrote:
>>> >
>>> > It looks to me like a successful indirect connection?
>>> >
>>> > The following is taken from /var/log/httpd/access_log
>>> >
>>> > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET
>>> >
>>> http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA
>>>
>>> >
>>> >
>>> HTTP/1.1" 200 5264 "-" "-"
>>> >
>>>
>>> It certainly looks that way. I see several of those kinds of GETs a
>>> day on our web servers. Not from that particular domain, but similar
>>> types of GETs.
>>>
>>> A quick google points to similar GET requests to that domain as far
>>> back as 2011, and the domain itself isn't live, just a placeholder for
>>> parked domain.
>>>
>>> - -- Mark Haney
>>> Network/Systems Administrator
>>> Practichem
>>> W: (919) 714-8428
>>> Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s
>>> AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk
>>> q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW
>>> o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx
>>> VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5
>>> hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ=
>>> =nqC7
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> users mailing list
>>> users at lists.fedoraproject.org
>>> To unsubscribe or change subscription options:
>>> https://admin.fedoraproject.org/mailman/listinfo/users
>>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>>> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>>> Have a question? Ask away: http://ask.fedoraproject.org
>>>
>>>
>
> Alternatively, one could add the following IPs to /etc/hosts.deny:
>
> ALL: 85.25.196.141
> ALL: 85.25.226.154
> ALL: 146.185.239.100
> ALL: 185.4.227.194
> ALL: 192.99.2.75
> [...]
>
> This works if the IPs are static but if IPs are from a pool, dynamic,
> or spoofed, then one is out of luck chasing a tiger's tail?
>
> FWIW
>
Ugh, Apache by default does not use the tcpwrappers
unless recompiled. Another alternative is to append
the following to /etc/httpd/conf/httpd.conf:
# Blacklist
<Location />
<Limit GET POST PUT>
order allow,deny
allow from all
deny from 85.25.196.141
deny from 85.25.226.154
deny from 146.185.239.100
deny from 185.4.227.194
deny from 192.99.2.75
</Limit>
</Location>
More information about the users
mailing list