Hobbs
msg:4171000 | 7:41 pm on Jul 15, 2010 (gmt 0) |
Yes
222.76.218.a
|
dstiles
msg:4171104 | 10:15 pm on Jul 15, 2010 (gmt 0) |
Can't say if I've received any hits with those credentials but I have the range 222.76.208.0-222.76.223.255 blocked as being a Chinese server farm "belonging" to Xiamen.
|
incrediBILL
msg:4171133 | 11:23 pm on Jul 15, 2010 (gmt 0) |
It's coming from more than China, I'm seeing a world-wide botnet attack
|
enigma1
msg:4171756 | 7:05 pm on Jul 16, 2010 (gmt 0) |
Bill, do you have code in place recording the headers for each attempt apart of the logs that list just few items?
The general pattern of multiple attempts that I see in the logs (although the get request is identical) also makes me thinking if they change the headers to resend cookies etc.
It's a wild guess but I am thinking the multiple attempts could mean to force the server initialize a cookie send it back and receive it, in other words to be sure the server doesn't redirect or kick them out because of the headers or cookies.
|
incrediBILL
msg:4171759 | 7:09 pm on Jul 16, 2010 (gmt 0) |
Sorry, on the site being attacked no headers are captured.
|
dstiles
msg:4171810 | 8:48 pm on Jul 16, 2010 (gmt 0) |
Probably just another distributed attack similar to casper. Most of the "attacks" I'm seeing at the moment are from compromised server farms, with very few exceptions (which are probably servers on company/personal DSL).
|
Megaclinium
msg:4175626 | 12:31 am on Jul 24, 2010 (gmt 0) |
I'm getting multiple php attacks from cloaked bot on a compromised server host in Dana Point, CA, all 5 hits in two seconds. keeps attacking despite eating 403's
208.71.173.xx
"GET //phpMyAdmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //phpmyadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //pma/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //mysql/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //php-my-admin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET //myadmin/main.php HTTP/1.1" 403 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
If it comes from a non-banned address range, it will eat really large files. Inspired by this forum, I setup the attack directory and put huge nonsense files under those names.
|
Megaclinium
msg:4175627 | 12:32 am on Jul 24, 2010 (gmt 0) |
Woops, here's the whole range to deep-six
208.71.168.0/21
|
blend27
msg:4175640 | 1:51 am on Jul 24, 2010 (gmt 0) |
ws.arin.net/whois/?queryinput=Network+Data+Center+Host%2C+Inc.
while you at it.
|
Megaclinium
msg:4175641 | 1:58 am on Jul 24, 2010 (gmt 0) |
Neat - I was trying to figure out how to look up other ranges for banned hosts.
Like leftovers, they seem to come back later, often from different range same host.
|
tangor
msg:4175659 | 3:02 am on Jul 24, 2010 (gmt 0) |
My solution to these particular attacks is not for everyone: I don't run php on my server so I 403 any php in the URI. Works a charm!
|
tangor
msg:4175660 | 3:08 am on Jul 24, 2010 (gmt 0) |
(edit... realized revealing what I 403 might give the bot ghods a clue end edit) have been 403'd for the last year. Take a look at your logs and see if there is ANY human behind those. Think it will surprise you.
PM if you want my list of other things to 403...
|
|
