An abuse complaint increases exploit activity

Forum Moderators: phranque

Message Too Old, No Replies

An abuse complaint increases exploit activity

webdav exploit and no help from the abuse contact

jrfoleyjr

6:21 am on May 29, 2011 (gmt 0)

Recently I noticed some strange (to me) activity in my apache access.log, a couple dozen of these lines below...

188.138.109.100 - - [29/May/2011:01:04:44 -0400] "GET /webdav/uxampp.php&ip=IP&port=PORTHERE&time=120?act=phptools&ip=178.79.169.218&time=120&port=80 HTTP/1.1" 403 1168 "-" "-"

I googled the webdav exploit and I removed the webdav directory. I added a "deny from 188.138.109.100" to the .htaccess file which caused the 403 error code. But the hits in the access.log kept coming.

I did a whois on the ip and looked for the abuse address [abuse@plusserver.de]... after contacting the abuse address the hits increased. A second and third email did nothing. MANY more hits all with 403 error code.

Am I missing something here?

wheel

2:07 pm on May 29, 2011 (gmt 0)

I would just firewall the IP, or ask your webhosting company to do so. Then move on and forget about it. Trying to figure out the purpose of these idiots is futile.

lucy24

10:03 pm on May 29, 2011 (gmt 0)

Locking robots out doesn't stop them from rattling the doorknob. It only stops them from getting in.

jrfoleyjr

3:35 am on May 30, 2011 (gmt 0)

we need a way to shutdown scumbag ISPs that seem to sponsor the operators of these bots.