Possible hacker attempts.

Discussion in 'Installation/Configuration' started by fordwrench, Aug 30, 2010.

  1. fordwrench

    fordwrench Member

    I get a lot of the following in my /var/log/httpd/ispconfig_access_log


    www.domain.com||||1181||||76.181.99.134 - - [30/Aug/2010:03:13:08 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    www.domain.com||||1181||||92.17.223.164 - - [30/Aug/2010:03:13:08 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    www.domain.com||||1181||||69.19.14.33 - - [30/Aug/2010:03:13:12 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"


    also I have a lot of attempts to send mail to unknown users on one particular domain. And only on that domain. No attempts tried on any other domains I host. Is there any way to stop this. The logs follow.

    Aug 30 03:18:05 srv1 postfix/smtpd[3702]: NOQUEUE: reject: RCPT from unknown[113.22.254.197]: 550 5.1.1 <yntgbfisdjl@domain.com>: Recipient address rejected: User unknown in local recipient table; from=<hurlersghk@riviana.com> to=<yntgbfisdjl@domain.com> proto=ESMTP helo=<FLLUPLGT>
    Aug 30 03:18:06 srv1 postfix/smtpd[3702]: NOQUEUE: reject: RCPT from unknown[113.22.254.197]: 550 5.1.1 <yntgbfisdjl@domain.com>: Recipient address rejected: User unknown in local recipient table; from=<sirupsww3@resourcesoncall.com> to=<yntgbfisdjl@domain.com> proto=ESMTP helo=<FLLUPLGT>


    can you give me any insight on how to stop this action.


    Fordwrench


    ps both of these attempts are on the same domain. No other domains. I am about to take the domain down because of the traffic it generates.
     
    Last edited: Aug 30, 2010
  2. damir

    damir New Member

    404 attempts are error codes. Don't worry about it. You can keep a eye on it to see what kind of holes are theu looking for.

    Postfix error is common when a user doesn't exis. You can always tweak your postfix with spf and antispam tweaks.

    Try to searh forum or google.
     
  3. Mark_NL

    Mark_NL New Member

    113.22.254.197 is on a lot of spam lists

    you could add some RBL checks in postfix .. to block those ip's right away (because if they hit a existing user, they'll get the mail)

    try adding these lines to your main.cf under "smtpd_recipient_restrictions"
    Code:
    reject_rbl_client virbl.dnsbl.bit.nl,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client sbl-xbl.spamhaus.org
    and as damir pointed already out, those 404's aren't really something to worry about ..
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. fordwrench

    fordwrench Member

    I guess I should tell what setup I have.
    Debian 4.0 with Ispconfig 2 (the latest)

    I asked in here because of that, and I have done a lot of searching of forums and google. I just added htaccess file that blocks all ip's other than USA, and that has helped a lot. But now they are trying with proxyed or spoofed ip's.

    I know that they are hacking attempts because they have succeeded before and put hidden folders in my web that have xml exploits.

    This is not just a few random hacking attempts, they are hitting this domain hard and eats a lot of network bandwidth. I would like to set a bomb and have them download it and really fix them, but I would be satisfied with just thwarting their efforts to penetrate my system.


    Thanks for you help sofar, I will try what you recommended and if you have any other suggestions please give them.


    Fordwrench
     
  6. Mark_NL

    Mark_NL New Member

    put up a honeypot and have some fun yourself
     
  7. fordwrench

    fordwrench Member

    that honeypot ideal is just what I would like to figure out. :)
     
  8. Mark_NL

    Mark_NL New Member

Share This Page