Possible hacker attempts.

Discussion in 'Installation/Configuration' started by fordwrench, Aug 30, 2010.

  1. fordwrench

    fordwrench Member HowtoForge Supporter

    I get a lot of the following in my /var/log/httpd/ispconfig_access_log


    www.domain.com||||1181||||76.181.99.134 - - [30/Aug/2010:03:13:08 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    www.domain.com||||1181||||92.17.223.164 - - [30/Aug/2010:03:13:08 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    www.domain.com||||1181||||69.19.14.33 - - [30/Aug/2010:03:13:12 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"


    also I have a lot of attempts to send mail to unknown users on one particular domain. And only on that domain. No attempts tried on any other domains I host. Is there any way to stop this. The logs follow.

    Aug 30 03:18:05 srv1 postfix/smtpd[3702]: NOQUEUE: reject: RCPT from unknown[113.22.254.197]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<FLLUPLGT>
    Aug 30 03:18:06 srv1 postfix/smtpd[3702]: NOQUEUE: reject: RCPT from unknown[113.22.254.197]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<FLLUPLGT>


    can you give me any insight on how to stop this action.


    Fordwrench


    ps both of these attempts are on the same domain. No other domains. I am about to take the domain down because of the traffic it generates.
     
    Last edited: Aug 30, 2010
  2. damir

    damir New Member

    404 attempts are error codes. Don't worry about it. You can keep a eye on it to see what kind of holes are theu looking for.

    Postfix error is common when a user doesn't exis. You can always tweak your postfix with spf and antispam tweaks.

    Try to searh forum or google.
     
  3. Mark_NL

    Mark_NL New Member

    113.22.254.197 is on a lot of spam lists

    you could add some RBL checks in postfix .. to block those ip's right away (because if they hit a existing user, they'll get the mail)

    try adding these lines to your main.cf under "smtpd_recipient_restrictions"
    Code:
    reject_rbl_client virbl.dnsbl.bit.nl,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client sbl-xbl.spamhaus.org
    and as damir pointed already out, those 404's aren't really something to worry about ..
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. fordwrench

    fordwrench Member HowtoForge Supporter

    I guess I should tell what setup I have.
    Debian 4.0 with Ispconfig 2 (the latest)

    I asked in here because of that, and I have done a lot of searching of forums and google. I just added htaccess file that blocks all ip's other than USA, and that has helped a lot. But now they are trying with proxyed or spoofed ip's.

    I know that they are hacking attempts because they have succeeded before and put hidden folders in my web that have xml exploits.

    This is not just a few random hacking attempts, they are hitting this domain hard and eats a lot of network bandwidth. I would like to set a bomb and have them download it and really fix them, but I would be satisfied with just thwarting their efforts to penetrate my system.


    Thanks for you help sofar, I will try what you recommended and if you have any other suggestions please give them.


    Fordwrench
     
  6. Mark_NL

    Mark_NL New Member

    put up a honeypot and have some fun yourself
     
  7. fordwrench

    fordwrench Member HowtoForge Supporter

    that honeypot ideal is just what I would like to figure out. :)
     
  8. Mark_NL

    Mark_NL New Member

Share This Page