Bot looking for Exploits?

Forum Moderators: open

Message Too Old, No Replies

Bot looking for Exploits?

Bluestreak

4:32 am on Jun 15, 2002 (gmt 0)

Found some interesting activity in my logs...

There's a bot using a spoofed user_agent like this "LZNKRVKZ"

It goes directly to one page on my site, which happens to display a short article on a security flaw in "Sudo" Im wondering if there's any correlation, is it possible the bot is looking for keywords with Sudo to find security flaws on my site? It's weird that this seems to be the only page it grabs, and Ive seen less than friendly activity from bots that have cryptic names like "LZNKRVKZ" for user agents. Hmmmmm....

littleman

5:37 am on Jun 15, 2002 (gmt 0)

I've seen bots do that too. From the pattern in my logs I think the ones I saw were scavengers/harvesters. I guess the logic is that you can't ban a bot that has a constantly changing UA and uses anonymous proxies.

Luke86

7:13 am on Jun 15, 2002 (gmt 0)

I used a security program a while back, it scanned your website (or any website) for security flaws and came back with a report, I remember an option to set the UA.

It's possible it could be one of these programs and that someone is checking for flaws in your site.

chris_f

9:25 am on Jun 15, 2002 (gmt 0)

There was a post here a couple of days ago. It was about AV using strings like that. I think it was them detecting for a custom 404 page.

Chris

Bluestreak

2:36 pm on Jun 15, 2002 (gmt 0)

Do you remember what the name of the security program was? Might be a good idea for me to try somethinbg like that too, make sure there's no gaping holes on my site just wiating to be exploited :D

Key_Master

3:27 pm on Jun 15, 2002 (gmt 0)

Bluestreak,

Add this line to your .htaccess file and it will keep this bugger away.

SetEnvIf User-Agent "^([^\ ][A-Z]+)$" ban

This bans any user agent name that consists of only capital letters but doesn't contain a space in the name.

There's a way to block anything thanks to Apache. :)

Bluestreak

3:54 pm on Jun 15, 2002 (gmt 0)

You da man Key!

Kev

8:58 am on Jun 16, 2002 (gmt 0)

I use an 'upper case, single string' comparison to block this agent(s) on IIS 5, but did accidentally block a legitimate(?) search bot in the process (something like HOOVER/1.0)... oooops :)

idiotgirl

9:07 am on Jun 16, 2002 (gmt 0)

Key_Master-

Is this for generic .htaccess or only if mod_rewrite is available?

Key_Master

4:49 pm on Jun 16, 2002 (gmt 0)

idiotgirl,

The following should work just as well. When I came up with the solution I mistakenly believed that [A-Z] would also ban spaces. Of course, it doesn't.

SetEnvIf User-Agent "^([A-Z]+)$" ban

It should work even if you don't have mod_rewrite privileges. You have to add this line in the appropriate space of your .htaccess file for it to work.

deny from env=ban

Example:
SetEnvIf User-Agent "^([A-Z]+)$" ban
<Limit GET POST>
order allow,deny
allow from all
deny from env=ban
</Limit>

This will not ban any user agent which contains numbers or special characters. Only upper case alphabetical characters (letters A-Z) will trigger the ban.