Date: Wed, 19 May 2010 11:00:13 +0800 From: Aiza <aiza21@comclark.com> To: Michael Powell <nightrecon@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Apache web server being attacked Message-ID: <4BF3543D.7070708@comclark.com> In-Reply-To: <hsts1m$shj$1@dough.gmane.org> References: <4BF26530.3080501@comclark.com> <hsts1m$shj$1@dough.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Powell wrote: > Aiza wrote: > >> I put apache13 in a jail and left inbound port 80 open in my firewall. >> There is no domain name pointing to my web server. The content there is >> a small apache web application that fools web >> email address harvest programs into harvesting bogus email address from >> web page. http://www.monkeys.com/wpoison This is what I am doing. >> >> Since setting this up I have not had any bots scan the site for email >> address. But have had port 80 attacks that did not work. MY Apache >> access and error logs follow. >> > [snip log content] >> As you can see looks like a script kiddy is running something they dont >> understand. "/usr/local/www/data//phpmyadmin2/config.inc.php" >> there should only be a single / between data/phpmyadmin2. >> >> But beside that looks like php config.inc.php file is a target and >> phpmyadmin also is a target. The apache return code 404 means not found >> so no effect to me. >> >> Has anyone seen this junk hitting their apache web servers or have any >> different explanation of what this means? > > Sorry to tell you this, but this kind of thing goes on all the time. You can > fine tune mod_security for some control for SQL injection techniques, as > well as many other generic forms of locking down the web server in general. > > Generally speaking, the bulk of this does nothing more than filling the logs > - BUT - all it takes is for one app to let the attacker "leak" onto your > hard drive and they're in. I see a lot of scans for roundcube and > phpMyAdmin. Have also seen a lot of phpBB in the past. > > The attackers spew lots of requests but the needle in the haystack they are > looking for is that one app that has a known vulnerability. In addition to > securing the web server itself you should monitor any app running on it for > reported security flaws and keep them updated to the latest "safe" versions. > > You can also add to the hardening of your web server (if Apache) with > various .htaccess + mod_rewrite tricks. Examples include: > > # block all smarty templates (no reason to have these exposed) > RedirectMatch gone ^/.*\.tpl$ > > # block all .log (log files), .sql (sql dump/export) and .conf (config > files) files in case some day these files move to another directory > RedirectMatch gone ^.*\.(sql|log|conf)$ > > # block access to the 'Smarty-*' directory > RedirectMatch gone ^.*Smarty.*$ > > # block common files present that you don't want served > RedirectMatch gone CHANGELOG.* > RedirectMatch gone COPYRIGHT.* > RedirectMatch gone INSTALL.* > RedirectMatch gone NEW.* > RedirectMatch gone README.* > RedirectMatch gone UPGRADE.* > RedirectMatch gone VERSION.* > > # block access to directories > Redirect gone /upgrade > Redirect gone /tmp > Redirect gone /var > Redirect gone /sql > > #Redirect pesky stuff based on referrer > Options -MultiViews -Indexes > > RewriteEngine On > RewriteBase / > > RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR] > RewriteCond %{HTTP_USER_AGENT} ^Morfeus [NC,OR] > RewriteCond %{HTTP_USER_AGENT} ^Toata [NC] > RewriteRule .* - [F,L] > > There is much and many more, just a couple of examples for ideas. :-) > > -Mike > Where do I find documentation on how to enable and use apache mods rewrite and redirect?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BF3543D.7070708>