[AusNOG] Some pointers on dealing with a botnet targeting an application server

Shane MacPhillamy shane at blinkmobile.com.au
Fri Mar 2 08:30:28 EST 2012 

Hi

We appear to have a botnet trying to target one of our application servers, by posting GETs referencing URI paths like:

../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd%00
../../../../../../../../../../../../../../../../proc/self/environ
../../../../../../../../../../../../../../../../proc/self/environ%00
../../../../../../../../../../../../../../../../proc/self/environ

The addresses that the requests have come from so far, are listed at the end of the email. Is there any specific action we can take to stop the activity, or should we just put up with it. Blocking /24 IP address blocks wouldn't appear to be an effective strategy.

Thanks.

Cheers, Shane

120.89.55.2
122.167.122.154
177.102.83.122
177.18.205.121
177.33.204.229
177.9.128.191
177.9.251.8
177.98.75.236
178.199.169.1
186.192.42.2
186.218.244.147
186.228.40.148
187.115.110.51
187.127.105.148
187.14.60.92
187.17.241.162
187.5.98.172
187.52.72.37
187.53.27.26
187.53.29.35
188.81.207.30
188.81.74.191
188.82.184.161
188.83.68.220
188.83.70.21
189.1.140.229
189.10.66.158
189.101.214.240
189.110.153.217
189.113.131.195
189.114.123.217
189.123.210.70
189.18.162.45
189.31.21.208
189.31.7.242
189.33.251.148
189.54.127.48
189.58.59.73
189.58.98.55
190.251.32.59
194.65.122.241
195.23.154.128
195.23.50.162
2.81.57.183
2.82.18.54
2.82.211.212
2.83.238.18
2.97.214.111
200.112.104.118
200.159.212.46
200.168.101.79
200.207.42.57
201.1.118.53
201.1.186.48
201.10.145.133
201.13.61.177
201.2.26.248
201.35.224.132
201.42.70.61
201.68.48.99
201.68.97.124
201.85.67.117
203.219.176.108
212.183.140.19
213.190.200.14
217.129.134.104
41.72.29.139
46.189.129.161
46.50.71.172
58.8.23.65
62.28.69.174
62.48.229.49
77.208.117.148
77.54.15.95
78.29.186.197
79.169.108.69
80.224.177.44
82.154.174.188
82.154.184.5
82.154.251.175
82.155.195.90
82.155.85.177
83.240.166.138
83.240.247.249
85.138.224.194
85.240.23.105
85.241.79.114
85.242.40.109
85.244.182.113
85.246.0.23
85.246.15.72
87.254.228.63
88.171.235.26
88.210.64.47
89.180.181.155
89.214.239.217
90.162.110.155
92.250.102.27
93.108.179.116
95.92.145.117
95.92.171.142
95.93.94.193

More information about the AusNOG mailing list