So I've had the above twice in the last day (from different IPs) or so (each followed by a load of general requests for phpmyadmin and the like). My Windows 2003 machine running apache is up to date and I'm guessing that as none of the requests were successful (on account of phpmyadmin not being on the server) everything is fine. Right?
It has spooked me a bit though, do I have to basically live with it? Anyone else had experience with it?
Ta
http://isc.sans.org/diary.html?storyid=900
Are the ips the same each day? If so is simply blocking them at the firewall an option? Essentially it's someone scanning your server for vulns.
http://isc.sans.org/diary.html?storyid=900
It's a scanner tool. It doesn't execute vunerabilities in and of itself.
Originally Posted by Agent
Cheers you two, sorry I should have been more thorough, I knew it was a scanner thingy but wondered if there was anything I need worry about after that?
They were from different IP's so I've noted them, but not actually banned anything yet.
Naw, it's the application level equivilant of nmap'ing your boxes. If you don't like them doing it, ban 'em. Problem with this is, most of the dodgy kind of scans/attacks tunnel through the vast swaythes of compromised/proxy boxes out there.
I always wondered what these requests were for....I often see logs of this from my apache web server.
E6850@ 3700MHz / 6GB DDR2 / 500GB SATAII / nVidia 7800 GTX / Lian Li Plus7B
mayber just unplug your router for about 24 hours.. live without the web for a day. Bet they go away.
Static IP? If not, just reboot router to get new IP. See if it still occurs.
It isn't his computer/system that is being scanned specifically - his just happens to be in range. My server gets probed each and every day - some are malformed requests, some are requests for 'speculative' pages (like looking for phpmyadmin, others probe and try to log in through SSH (on one night I had 50,000 attempts. I also get malformed SMTP requests in an attempt to break my mailserver.
AFIK I'm not specifically targeted, but at some time there is a port scan of my IP addresses, the open ports are noted and that triggers some attacks. If i block the port for 5 minutes or so, they stop, but they return some hours or days later.
The solution is to keep OS and applications up to date, and to monitor logs for specific directed activity.
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
Yup, you hit the nail squarely on the head here. My router flags a tonne of this crap. Half of it is from China or Russia, the other half of it is from compromised/proxy boxes, probably originating from China or Russia. Yet, nobody puts pressure on either countries to tackle it. All this vunrability canvasing and bot/worm/proxy/spam crap is a total waste of internet capacity. Also, <3 autoblacklisting features and honeypots.
Thanks everyone, there were a few scans from the same server but I will think nothing of it.
I'll keep an eye on logs and running processes just to be sure.
http://www.projecthoneypot.org/list_of_ips.php?ctry=RU
That might be useful if you want to block IPs / ranges.
If you don't use anything from Russia or China, I'd be tempted to block all the major ranges.
Spotted that entry in my webserver logs this morning. Lots of info on Google confirming that it is a probing attack - some info here
http://www.hostmyclass.net/kb/entry/17/ (one of many!)
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote