1) Okay, you need to make your "report" - this a complete forensics of all the
IP's with a complete log example to send to the their authorative technical and
abuse contacts.2) You can use a script to drop all such exploits to the
iptables deny file? It's going to look like something like this (you are going
to have to play with your logfile sed/awk statement to be sure that the field
$7 is the seventh from the left and that the sed statement gets the full ip
string correct before implementing). Season to taste (any of the unique
statements from your logs will work):#!/bin/bashrm -f ttttouch tmp# disabled
IPs can be obtained from /etc/sysconfig/iptablesgrep DROP
/etc/sysconfig/iptables|awk '{print $5}' >tmp# ------------------------ DoS
attacks rule -------------------------#identity mismatch in securegrep Did
/var/log/secure|awk '{print $12}' >>tmp#Invalid usergrep "Invalid user"
/var/log/secure|awk '{print $10}' >>tmp# Maximum Logingrep "Maximum login"
/var/log/secure|awk '{print $7}'|sed 's/.*\[\(.*\)\])/\1/g' >>tmp# humanogrep
"humano" /var/log/apache/access_log|awk '{print $7}'|sed 's/.*\[\(.*\)\])/\1/g'
>>tmp# ------------------ reduce redundant IPs from tmp file
-------------size=`/usr/bin/wc tmp|awk '{print $1}'`i=0while test $i -lt
$sizedo us=`sed -n 1p tmp` sed /$us/d tmp >tmps echo $us >>ttt
cp -f tmps tmp size=`/usr/bin/wc tmp|awk '{print $1}'`donerm -f tmp
tmps temp0 temp## ------------------ activate detected IPs
--------------------------size=`wc ttt|awk '{print $1}'`size=`expr $size +
1`/sbin/iptables -Fi=1while test $i -lt $sizedo ip=`sed -n "$i"p ttt`
i=`expr $i + 1`/sbin/iptables -A INPUT -s $ip -j DROPdone #
-----------------end of shell script test -------------------------
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452--- On Wed,
12/3/08, Lisa Kachold <[EMAIL PROTECTED]> wrote:From: Lisa Kachold <[EMAIL
PROTECTED]>Subject: RE: OT: Website ExploitsTo: [EMAIL PROTECTED], [EMAIL
PROTECTED]: Wednesday, December 3, 2008, 3:58 PM
It appears as though someone is attempting to access http://humano.ya.com via
a redirect.It's is probably not a "real" exploit but a miscrafted URL
referral.Without more information related to the contents of your index.php, I
can't tell you what exactly they are exploiting. However, since the page they
are going to doesn't appear to be a google ad site or phishing site, I would
just call this a mistaken URI fat fingered redirect from some place?But here's
the basic steps for "forensics" of any such problem (even the exploitive
ones):1) Where is it coming from? Your log should have a complete source
IP?Cut and splice the complete log report example into your "forensics"
report.Include your TIMEZONE for their edification. Include the date of the
first attack using grep on your logs. Add frequency or whatever else is unique
about it.If the issue or attack comes from multiple sources,
indicating bots, include that information also.2) Run a whois on the source IP
and see who is the Swip'd IP block owner, domain name, and access that page for
additional information.Cut and splice the technical contact for that block into
your "report".3) Go to the referral site (http://humano.ya.com) and find their
email address to add to the "report".4) Send a copy of the referring ip address
to your firewall administrator to deny for port 80/443, or add to your server
based IPTABLES deny via a one liner:iptables -A INPUT -s $ipaddress -j
DROP/etc/init.d/iptables save5) Include your name and address, contact
information and statement of confidentiality.www.Obnosis.com |
http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452Catch the
January PLUG HackFest! Kristy Westphal, CSO for the Arizona Department of
Economic
Security will provide a one hour
presentation on forensics.Date: Wed, 3 Dec 2008 14:39:40 -0800From: [EMAIL
PROTECTED]: OT: Website ExploitsTo: [EMAIL PROTECTED],I am working on a website
that gets a lot of exploit attempts.They mostly look like this:
/index.php?display=http://humano.ya.com/mysons/index.htm?Our code is set to
disregard any value that is not expected. I'm wondering if there is a clearing
house for reporting this type of stuff. I have the IP address as reported....
if that is
accurate.Thanks in advance!KeithSend e-mail faster without improving your
typing skills. Get your HotmailĀ® account.
_________________________________________________________________
You live life online. So we put Windows on the web.
http://clk.atdmt.com/MRT/go/127032869/direct/01/
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
