From owner-freebsd-questions@FreeBSD.ORG  Tue May 18 11:01:21 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D204D106564A
	for <freebsd-questions@freebsd.org>;
	Tue, 18 May 2010 11:01:21 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from lo.gmane.org (lo.gmane.org [80.91.229.12])
	by mx1.freebsd.org (Postfix) with ESMTP id 5F1758FC0A
	for <freebsd-questions@freebsd.org>;
	Tue, 18 May 2010 11:01:21 +0000 (UTC)
Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <freebsd-questions@m.gmane.org>) id 1OEKY3-0001TK-TA
	for freebsd-questions@freebsd.org; Tue, 18 May 2010 13:01:19 +0200
Received: from pool-70-21-10-109.res.east.verizon.net ([70.21.10.109])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Tue, 18 May 2010 13:01:19 +0200
Received: from nightrecon by pool-70-21-10-109.res.east.verizon.net with local
	(Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Tue, 18 May 2010 13:01:19 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-questions@freebsd.org
connect(): No such file or directory
From: Michael Powell <nightrecon@hotmail.com>
Followup-To: gmane.os.freebsd.questions
Date: Tue, 18 May 2010 07:00:59 -0400
Lines: 82
Message-ID: <hsts1m$shj$1@dough.gmane.org>
References: <4BF26530.3080501@comclark.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7Bit
X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: pool-70-21-10-109.res.east.verizon.net
Subject: Re: Apache web server being attacked
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 11:01:22 -0000

Aiza wrote:

> I put apache13 in a jail and left inbound port 80 open in my firewall.
> There is no domain name pointing to my web server. The content there is
> a small apache web application that fools web
> email address harvest programs into harvesting bogus email address from
> web page.  http://www.monkeys.com/wpoison This is what I am doing.
> 
> Since setting this up I have not had any bots scan the site for email
> address. But have had port 80 attacks that did not work. MY Apache
> access and error logs follow.
> 
[snip log content] 
> As you can see looks like a script kiddy is running something they dont
> understand. "/usr/local/www/data//phpmyadmin2/config.inc.php"
> there should only be a single / between data/phpmyadmin2.
> 
> But beside that looks like php config.inc.php file is a target and
> phpmyadmin also is a target. The apache return code 404 means not found
> so no effect to me.
> 
> Has anyone seen this junk hitting their apache web servers or have any
> different explanation of what this means?

Sorry to tell you this, but this kind of thing goes on all the time. You can 
fine tune mod_security for some control for SQL injection techniques, as 
well as many other generic forms of locking down the web server in general. 

Generally speaking, the bulk of this does nothing more than filling the logs 
- BUT - all it takes is for one app to let the attacker "leak" onto your 
hard drive and they're in. I see a lot of scans for roundcube and 
phpMyAdmin. Have also seen a lot of phpBB in the past. 

The attackers spew lots of requests but the needle in the haystack they are 
looking for is that one app that has a known vulnerability. In addition to 
securing the web server itself you should monitor any app running on it for 
reported security flaws and keep them updated to the latest "safe" versions.

You can also add to the hardening of your web server (if Apache) with 
various .htaccess + mod_rewrite tricks. Examples include:

# block all smarty templates (no reason to have these exposed)
RedirectMatch gone ^/.*\.tpl$

# block all .log (log files), .sql (sql dump/export) and .conf (config 
files) files in case some day these files move to another directory
RedirectMatch gone ^.*\.(sql|log|conf)$

# block access to the 'Smarty-*' directory
RedirectMatch gone ^.*Smarty.*$

# block common files present that you don't want served
RedirectMatch gone CHANGELOG.*
RedirectMatch gone COPYRIGHT.*
RedirectMatch gone INSTALL.*
RedirectMatch gone NEW.*
RedirectMatch gone README.*
RedirectMatch gone UPGRADE.*
RedirectMatch gone VERSION.*

# block access to directories
Redirect gone /upgrade
Redirect gone /tmp
Redirect gone /var
Redirect gone /sql

#Redirect pesky stuff based on referrer
Options -MultiViews -Indexes

RewriteEngine On
RewriteBase /

 RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^Morfeus [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^Toata [NC]
 RewriteRule .* - [F,L]

There is much and many more, just a couple of examples for ideas. :-)

-Mike