I just want it to stop sucking my bandwidth and filling my access
logs, so I took a totally different approach in minimizing the
problem.
On just one of my machines, I have 5 hosts each on it's own IP.
I added a 6's server that only listens to local connections. On
the 5 main servers, I have registered proc's that catch all the
current exploit URL's. When a request comes in for that URL on
any of the main servers, I do an httpget to the hidden server
passing the IP address of the user. The 6th server then inserts
a REJECT rule into the input chain of ipchains. I flush the
chain once per hour to keep it at a respectable size. So now,
instead of 152 connects and log entries per hack attempt, I have
only 1.
The only thing special that I had to do was patch the aolserver
source so that the hidden server could run as root (for
ipchains).
Daniel P. Stasinski
http://www.disabilities-r-us.com
[EMAIL PROTECTED]
