I'll be sure to keep you in the loop Red-Tail Books. If I were to take a
guess, I'd guess that hex value is the key to fully understanding this.
Wish I knew more about exploits and stuff. I remember similar things like
that when I was kid and used to play around with stuff like Metasploit. A
Wow Ken, Thanks for the thorough research. I just did a whois and
figured it wasn't an attack.
But being a complete rookie (no experience with linux or servers prior
to creating a droplet on DO 2 weeks ago)
I was curious to not see any request prefix (GET|POST|CONNECT...etc...)
and then I saw
Okay Red-Tail Books, I got more information for you! This is the latest
response I got:
"The malware is installed via a range of vulnerabilities including
social engineering. This scan is really testing for the malware's
rendezvous protocol for command and control. As a rule, we have been
I contacted one of the people involved with CESR and I have received a
response. This is what they say:
"Yes, this is a scan from our group. It is not in fact looking for
a vulnerability, but for a very specific infection. The scan is
harmless, but there is a very rare and stealthy piece of
Hi,
sorry that i posted it here. after some time i realised that the
reverse proxy is IHS ibm http server and not pure apache httpd. anyway
i post my findings here. after switching from mem caching to disk
caching the issue disappeared.
E
-- Forwarded message --
From: Erik
I think I can shed a little light on this. I believe it has something to
do with exploits / vulnerabilities. I'm not sure what the hex values are,
but I'm guessing that's part of the exploit. I've tried searching for it
but couldn't find anything. Maybe the query is confusing the search
Saw this in my access.log this morning...
169.229.3.91 - - [08/Jul/2016:05:44:24 -0700]
"^\x05A\xea\xa1\xfa\xbe\x15" 200 11434 "-" "-"
Can someone more knowledgeable explain what the "request" was and why it
was successful? And what 11k of data did apache serve?
Thanks
dave
Thanks Rich Bowen and Marat Khalili for the quick and usable reply .
On Fri, Jul 8, 2016 at 2:53 PM, Rich Bowen wrote:
> Well, yes, you could do it with mod_rewrite. You could also presumably use
> a proxypassmatch as part of your tomcat setup if the whitelist is simple
>
Well, yes, you could do it with mod_rewrite. You could also presumably use
a proxypassmatch as part of your tomcat setup if the whitelist is simple
enough to express it as one regex. I expect, though, that mod_security will
give you the biggest ! for your $ in a nontrivial scenario.
On Jul 8, 2016
You can do this with mod_rewrite:
RewriteCond %{REQUEST_URI} !^allowed_url_1$
RewriteCond %{REQUEST_URI} !^allowed_url_2$
...
RewriteCond %{REQUEST_URI} !^allowed_url_N$
RewriteRule .* - [F,L]
--
With Best Regards,
Marat Khalili
On 08/07/16 13:53, Joice Joseph wrote:
You're looking for mod_security
On Jul 8, 2016 06:54, "Joice Joseph" wrote:
> Hi All,
>
> Can someone help me to make the Apache in such a way that It will block
> all the request filter by default and process only those specified requests
> to tomcat server.
>
> --
>
Hi All,
Can someone help me to make the Apache in such a way that It will block all
the request filter by default and process only those specified requests to
tomcat server.
--
Cheers
*Joice Joseph*
12 matches
Mail list logo