Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th September 2011, 16:35
rockan rockan is offline
Junior Member
 
Join Date: Mar 2008
Posts: 18
Thanks: 6
Thanked 1 Time in 1 Post
Default Block script attack hackers

Hi,

I have Ispconfig 3 running and I'm having troubles with a search box on a site running magento webshop.

I get searches like
Code:
"arc welding rods/admin/s/password_forgotten.php?action='"
"arc welding rods/admin/sqlpatch.php/password_forgotten.php?action=execute/admin/categories.php/login.php?cPath="
"arc welding rods/admin/sqlpatch.php/password_forgotten.php?action=execute/admin/sqlpatch.php/password_forgotten.php?action=execu"
"arc welding rods/admin/sqlpatch.php/password_forgotten.php?action=execute/login.php"
And if I look in the sites logs I can that they are trying to reach certain admin adresses (that I have moved).
Code:
79.169.141.105 - - [08/Sep/2011:09:17:39 +0200] "GET /en/catalogsearch/result/?q=arc+welding+rods%2Fadmin%2Fsqlpatch.php%2Fpassword_forgotten.php%3Faction%3Dexecute/admin/file_manager.php/login.php HTTP/1.1" 200 35271 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"
79.169.141.105 - - [08/Sep/2011:09:17:43 +0200] "GET /admin/file_manager.php/login.php HTTP/1.1" 404 1806 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"
79.169.141.105 - - [08/Sep/2011:09:17:43 +0200] "GET /en/catalogsearch/result/admin/file_manager.php/login.php HTTP/1.1" 404 13154 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)""
79.169.141.105 - - [08/Sep/2011:09:18:13 +0200] "GET /en/catalogsearch/result/?q=arc+welding+rods%2Fadmin%2Fsqlpatch.php%2Fpassword_forgotten.php%3Faction%3Dexecute/admin/banner_manager.php/login.php HTTP/1.1" 200 35379 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"
79.169.141.105 - - [08/Sep/2011:09:18:15 +0200] "GET /admin/banner_manager.php/login.php HTTP/1.1" 404 1806 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"
79.169.141.105 - - [08/Sep/2011:09:18:16 +0200] "GET /en/catalogsearch/result/admin/banner_manager.php/login.php HTTP/1.1" 404 13162 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"
79.169.141.105 - - [08/Sep/2011:09:18:15 +0200] "GET /en/catalogsearch/result/?q=arc+welding+rods%2Fadmin%2Fsqlpatch.php%2Fpassword_forgotten.php%3Faction%3Dexecute/admin/categories.php/login.php HTTP/1.1" 200 35211 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"
79.169.141.105 - - [08/Sep/2011:09:18:19 +0200] "GET /admin/categories.php/login.php HTTP/1.1" 404 1806 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"
79.169.141.105 - - [08/Sep/2011:09:18:19 +0200] "GET /en/catalogsearch/result/admin/categories.php/login.php HTTP/1.1" 404 13146 "-" "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)"
Is there anyway for me to stop this everyday attack, it has been going on for a month now. Can I block the ip somehow? Will Snort help?

I know it says that it's Baidu but that is spoofed.
Reply With Quote
Sponsored Links
  #2  
Old 8th September 2011, 17:29
erosbk erosbk is offline
Senior Member
 
Join Date: Mar 2011
Posts: 337
Thanks: 49
Thanked 36 Times in 30 Posts
 
Default

You can block the IP using iptables:

iptables -A INPUT -s 79.169.141.105 -j DROP


This attacks are common... I think that modsecurity is the solution, I am working in the ruleset in order to implement in a near future for my sites.
Reply With Quote
The Following User Says Thank You to erosbk For This Useful Post:
rockan (8th September 2011)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Forwarding SPAM to quarantine. tomrichmond Server Operation 8 20th April 2011 18:50
WebDAV doesn't start - DAVLockDB not created - error 405 Method not allowed maljam Server Operation 2 23rd March 2011 16:06
Cannot login to phpmyadmin penkku HOWTO-Related Questions 1 24th February 2011 09:26
freebsd 7, samba 3, domain controller alexdimarco Suggest HOWTO 6 5th November 2010 16:54
apache2 problem laser144 Server Operation 8 15th March 2007 17:32


All times are GMT +2. The time now is 10:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.