Date: Tue, 18 May 2010 11:43:07 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Aiza <aiza21@comclark.com> Cc: "questions@freebsd.org" <questions@freebsd.org> Subject: Re: Apache web server being attacked Message-ID: <4BF26F3B.6000203@infracaninophile.co.uk> In-Reply-To: <4BF26530.3080501@comclark.com> References: <4BF26530.3080501@comclark.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/05/2010 11:00:16, Aiza wrote: > I put apache13 in a jail and left inbound port 80 open in my firewall. > There is no domain name pointing to my web server. The content there is > a small apache web application that fools web > email address harvest programs into harvesting bogus email address from > web page. http://www.monkeys.com/wpoison This is what I am doing. > > Since setting this up I have not had any bots scan the site for email > address. But have had port 80 attacks that did not work. MY Apache > access and error logs follow. [lots of logfile traces elided] Yes. Unfortunately this sort of thing is the norm on the web nowadays. It's all automated: first they program their botnets to scan for a web server listening on port 80. Then they use them to attempt to compromise whatever they find -- in your case, most of what you're seeing is an attempt to gather information on what PHP capabilities your web server might have. What they are doing is trying in turn a lot of the popular locations for installing apps like phpmyadmin or phppgadmin. Yes, they are doing this in a particularly clueless fashion -- what exactly did you expect of the sort of people that think creating botnets is a good idea? They'll probably grow out of it when they hit puberty. In the mean time, as you don't have phpmyadmin or anything similar installed, this is just an annoyance for you -- it clutters up your log files but does nothing else. If you did want to install phpmyadmin on that server, you should take care to 1) Keep it up to date -- there haven't been any PMA security advisories for some months, but at one point they were coming out about one a week. PMA does have some very active developers though, and new versions appear every month or two. 2) Be sure to use access controls in your apache config to limit where PMA can be accessed from. Ideally, run it over HTTPS as well -- by its nature, you will tend to send DB passwords etc. to this application, and you want to avoid having them snooped. 3) If you use the on-line phpmyadmin configurator, be sure to clean up after yourself once you've generated a config file. To use the on-line configurator you have to create a directory /usr/local/www/phpMyAdmin/config which you make read/write by the user the webserver runs as. Once you've created the config.inc.php in that directory, you need to move it up one level in the directory heirarchy, and then delete the config directory you created. (That's what your attacker is so desperate to find -- because the directory is read-write by the webserver process, they can use it to upload malware to your system.) Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkvybzsACgkQ8Mjk52CukIylCQCWJdEPLjihb2bSWUjUz5XcJ7eA eQCeLm59yL859kW9S9UkK7y1bjsZtTg= =tj/p -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BF26F3B.6000203>