On 13/12/2011 9:34 AM, Jeffrey Moncrieff wrote:
Hello
I have am host a couple of virtual web servers at home. The sites are not that busy. But I am seeing a lot of 404 errors and this morning I was checking my daily logwatch report and I spotted some weird in the logs
A total of 2 sites probed the server
122.255.96.164
85.88.195.35
A total of 3 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/?file=../../../../../../proc/self/environ%00 HTTP Response 200
/?mod=../../../../../../proc/self/environ%00 HTTP Response 200
/?page=../../../../../../proc/self/environ%00 HTTP Response 200
I have since blocked those ip with iptables. But now I want to know if there is a script that I can run that automatically block suspected malicious ip's or do I just have baby sit the server and keep a closer eye on the logs.
Jeff
Jeffrey Dean Moncrieff
Moncrieff consulting IT
Vancouver/Ottawa
Cell (613)298-6493
jeffrey [ dot ] moncrieff [ at ] yahoo [ dot ] ca
_______________________________________________
Linux mailing list
Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
http://oclug.on.ca/mailman/listinfo/linux
May I recommend that instead of banning, you close the security hole?
Disable whatever is allowing content access via ?xxx=.
J-F