On 13/12/2011 9:34 AM, Jeffrey Moncrieff wrote: > > Hello > > I have am host a couple of virtual web servers at home. The sites are not > that busy. But I am seeing a lot of 404 errors and this morning I was > checking my daily logwatch report and I spotted some weird in the logs > > A total of 2 sites probed the server > 122.255.96.164 > 85.88.195.35 > > A total of 3 possible successful probes were detected (the following URLs > contain strings that match one or more of a listing of strings that > indicate a possible exploit): > > /?file=../../../../../../proc/self/environ%00 HTTP Response 200 > /?mod=../../../../../../proc/self/environ%00 HTTP Response 200 > /?page=../../../../../../proc/self/environ%00 HTTP Response 200 > > I have since blocked those ip with iptables. But now I want to know if there > is a script that I can run that automatically block suspected malicious ip's > or do I just have baby sit the server and keep a closer eye on the logs. > > > Jeff > > Jeffrey Dean Moncrieff > Moncrieff consulting IT > Vancouver/Ottawa > Cell (613)298-6493 > [email protected] > _______________________________________________ > Linux mailing list > [email protected] > http://oclug.on.ca/mailman/listinfo/linux > May I recommend that instead of banning, you close the security hole? Disable whatever is allowing content access via ?xxx=.
J-F _______________________________________________ Linux mailing list [email protected] http://oclug.on.ca/mailman/listinfo/linux
