| View previous topic :: View next topic |
| Author |
Message |
jammy3
-
Joined: 17 Aug 2005
Posts: 10
|
 Posted: Tue May 02, 2006 4:50 am Post subject: restrict access? |
 |
|
I often get "hits" from DIFFERENT IP addresses for the same bogus files/paths.
One frequent example is:
/a1b2c3d4e5f6g7h8i9/nonexistentfile.php
I'd like to BAN anyone that requests this path/file as it's always the first in a series of requests, but haven't figured out how.
I already have a setting to ban after N requests, but I'd rather have a separate rule for specific file access.
TIA. |
|
| Back to top |
  |
 |
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Tue May 02, 2006 9:56 am Post subject: Re: restrict access? |
|
|
jammy3,
Activate the anti-hacking feature. It will automatically ban IPs which send more than a given number of bogus request in a certain amount of time.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
jammy3
-
Joined: 17 Aug 2005
Posts: 10
|
| Posted: Tue May 02, 2006 1:04 pm Post subject: Re: restrict access? |
|
|
| aprelium wrote: | jammy3,
Activate the anti-hacking feature. It will automatically ban IPs which send more than a given number of bogus request in a certain amount of time. |
Thanks. Already did that and set it at 10 in 60 sec. The problem is that they seem to use an anonymizer as the IP address is always different, but the same set of commands is always used:
64.33.120.64 - - [17/Apr/2006:07:44:58 -0500] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:58 -0500] "GET /adxmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /ads/adxmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /xmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 234 "" ""
64.33.120.64 - - [17/Apr/2006:07:44:59 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 234 "" "" |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Tue May 02, 2006 1:29 pm Post subject: |
|
|
Unless you have any of those programs/scripts installed I dont think it will be much to worry about.
You could always ban the IP range of the anonymous IP's they are using.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
 |
|
Clarke
-
Joined: 28 Jul 2006
Posts: 3
|
| Posted: Tue Aug 01, 2006 4:37 pm Post subject: |
|
|
For real! What is this. I get repeated requests for months now by different IP looking for this Too!
/a1b2c3d4e5f6g7h8i9/nonexistentfile.php
I did some googling on this and game across this Thread. THere is other sites talking about this.
Im really curious as to what this is.
This are some other strange requests I get once and awhile
| Quote: | 219.239.94.252 - - [30/Jul/2006:19:58:12 -0700] "GET //README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
219.239.94.252 - - [30/Jul/2006:19:58:13 -0700] "GET /horde//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
219.239.94.252 - - [30/Jul/2006:19:58:14 -0700] "GET /horde2//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
219.239.94.252 - - [30/Jul/2006:19:58:15 -0700] "GET /horde3//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
219.239.94.252 - - [30/Jul/2006:19:58:16 -0700] "GET /horde-3.0.9//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
219.239.94.252 - - [30/Jul/2006:19:58:17 -0700] "GET /Horde//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:52 -0700] "GET //README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:53 -0700] "GET /horde//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:53 -0700] "GET /horde2//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:54 -0700] "GET /horde3//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:54 -0700] "GET /horde-3.0.5//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:55 -0700] "GET /horde-3.0.6//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:55 -0700] "GET /horde-3.0.7//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:56 -0700] "GET /horde-3.0.8//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:56 -0700] "GET /horde-3.0.9//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:57 -0700] "GET /mail//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:57 -0700] "GET /email//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:58 -0700] "GET /webmail//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:58 -0700] "GET /newmail//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:59 -0700] "GET /mails//README HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.233.36.87 - - [31/Jul/2006:11:29:59 -0700] "GET /mailz//README HTT |
| Quote: | 66.70.158.66 - - [01/Aug/2006:03:24:03 -0700] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 200 34 "" ""
127.0.0.1 - - [01/Aug/2006:04:56:04 -0700] "GET / HTTP/1.1" 302 5 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
127.0.0.1 - - [01/Aug/2006:04:56:14 -0700] "GET /news.php HTTP/1.1" 200 12428 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
127.0.0.1 - - [01/Aug/2006:04:56:17 -0700] "GET /e107_files/sleight_js.php HTTP/1.1" 200 1382 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
127.0.0.1 - - [01/Aug/2006:04:56:17 -0700] "GET /e107_themes/sebes/images/logo2.png HTTP/1.1" 304 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
127.0.0.1 - - [01/Aug/2006:04:56:17 -0700] "GET /e107_themes/sebes/images/logo1.png HTTP/1.1" 304 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
127.0.0.1 - - [01/Aug/2006:04:56:17 -0700] "GET /e107_images/button.png HTTP/1.1" 304 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
(Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
72.30.107.18 - - [01/Aug/2006:05:09:22 -0700] "GET /robots.txt HTTP/1.0" 200 155 "" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
72.30.98.153 - - [01/Aug/2006:05:09:41 -0700] "GET / HTTP/1.0" 302 0 "" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
72.30.98.153 - - [01/Aug/2006:05:16:21 -0700] "GET /news.php HTTP/1.0" 200 10715 "" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
69.60.118.201 - - [01/Aug/2006:08:10:18 -0700] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 200 34 "" ""
(Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
127.0.0.1 - - [01/Aug/2006:08:32:12 -0700] "GET /favicon.ico H |
|
|
| Back to top |
|
|
pkSML
-
Joined: 29 May 2006
Posts: 955
Location: Michigan, USA
|
| Posted: Tue Aug 01, 2006 10:34 pm Post subject: |
|
|
I've seen this problem too. It is very annoying. I think it comes from IP scanners run by hackers. I have Abyss X2 and see this problem only on the default host. In other words, they found it by requesting http://24.145.130.71, not http://stephen.calvarybucyrus.org, which is hosted at this IP.
It seems like a hacker, and they probably share their codes. Hackers are often looking for exploitation possibilities. If they find a certain file, they know something about your system, and probably have a way to compromise its security. There are many of them running the same code, so this is my explanation for the multiple IP's seen in your log.
_________________
Stephen
Need a LitlURL?
http://CodeBin.yi.org |
|
| Back to top |
|
|
loloyd
-
Joined: 03 Mar 2006
Posts: 435
Location: Philippines
|
| Posted: Thu Aug 03, 2006 6:40 am Post subject: |
|
|
It may not be actively from a hacker at all, but from a host of compromised unsecure PCs mostly running on deficiently-patched Windows. My home-based server also suffers from this same problem (and more) and I think the bots doing this sure are smart. They actually circumvent abuse-detection systems (like in what you can set in Abyss' Anti-Hacking Protection feature) by trying only a few possibly exploitable resources on your website at any given time. It really is a big nuisance like spam.
As of the moment, there appears to be nothing that's at least 75% effective (with zero false positives) in blocking these hack attempts.
_________________
 http://home.loloyd.com/ is online if the logo graphic at left is showing. |
|
| Back to top |
|
|
|
