Re: Apache logs filled with remote exploit trials

Mon, 16 Jan 2006 07:26:26 -0800 

Hi,

Implemented these rewrite rules a while ago (think someone on this list 
suggested it):

<IfModule mod_rewrite.c>
  RewriteEngine on
#  RewriteLog "logs/rewrite.log"
#  RewriteLogLevel 1
  RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)root.exe(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/FormMail(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/Formmail(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/cgi-bin(.*)$ http://www.dhs.gov
  RedirectMatch permanent (.*)\/xmlrpc(.*)$ http://www.dhs.gov
</IfModule>

Takes care of almost all of the crap.. Now and then something new pops up, such 
as xmlrpc.

Cheers,
/jkm

* Didier Wiroth ([EMAIL PROTECTED]) wrote:
> Hello,
> 
> My apache logs are filled with these kind of attacks:
> [Sun Jan 15 20:53:19 2006] [error] [client 69.60.121.159] File does not
> exist: /htdocs/drupal/xmlrpc.php
> [Sun Jan 15 20:53:20 2006] [error] [client 69.60.121.159] File does not
> exist: /htdocs/phpgroupware/xmlrpc.php
> [Sun Jan 15 20:53:21 2006] [error] [client 69.60.121.159] File does not
> exist: /htdocs/wordpress/xmlrpc.php
> [Sun Jan 15 20:53:22 2006] [error] [client 69.60.121.159] File does not
> exist: /htdocs/xmlrpc.php
> [Sun Jan 15 20:53:23 2006] [error] [client 69.60.121.159] File does not
> exist: /htdocs/xmlrpc/xmlrpc.php
> [Sun Jan 15 20:53:24 2006] [error] [client 69.60.121.159] File does not
> exist: /htdocs/xmlsrv/xmlrpc.php
> 
> How do "you" handle these kind of attacks?
> 
> How or what do I have to use to dynamically block client Ips, that tries
> these type of attacks?
> 
> Thank you very much
> Didier

Reply via email to