[AusNOG] Some pointers on dealing with a botnet targeting an application server

Andrew Stoker astoker at westpac.com.au
Fri Mar 2 09:53:46 EST 2012 

Hi Shane,

I've been getting the following from one of my sites since early Thursday 
morning. It's a WordPress Site and I have various things in place along 
with mod_security and mod-evasive on Apache.

Seems to stop any damage from being caused.

doing_wp_cron = 
../../../../../../../../../../../../../../../../proc/self/environ
s = ../../../../../../../../../../../../../../../../proc/self/environ
doing_wp_cron = 
../../../../../../../../../../../../../../../../proc/self/environ
doing_wp_cron = 
../../../../../../../../../../../../../../../../proc/self/environ
doing_wp_cron = 
../../../../../../../../../../../../../../../../proc/self/environ
doing_wp_cron = 
../../../../../../../../../../../../../../../../proc/self/environ
doing_wp_cron = 
../../../../../../../../../../../../../../../../proc/self/environ
doing_wp_cron = 
../../../../../../../../../../../../../../../../proc/self/environ


62.169.111.176
85.241.79.114
173.34.19.82
177.60.22.79
187.106.172.115
187.7.37.211
189.55.112.87
201.78.251.90

Regards,
Andrew Stoker

Andrew Stoker | Senior Associate,Senior Analyst Programmer | WIB 
Technology - Trade Project
Westpac Institutional Bank | 13, 55 Market Street, Sydney, NSW 2000
T +61 2 8254 (1)7673 | F +61 2 8254 (1)0570 | M +61 0438 879 578 | E 
astoker at westpac.com.au









Shane MacPhillamy <shane at blinkmobile.com.au> 
Sent by: ausnog-bounces at lists.ausnog.net
02/03/2012 08:31 AM

To
ausnog at ausnog.net
cc

Subject
[AusNOG] Some pointers on dealing with a botnet targeting an application 
server






Hi

We appear to have a botnet trying to target one of our application 
servers, by posting GETs referencing URI paths like:

../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd%00
../../../../../../../../../../../../../../../../proc/self/environ
../../../../../../../../../../../../../../../../proc/self/environ%00
../../../../../../../../../../../../../../../../proc/self/environ

The addresses that the requests have come from so far, are listed at the 
end of the email. Is there any specific action we can take to stop the 
activity, or should we just put up with it. Blocking /24 IP address blocks 
wouldn't appear to be an effective strategy.

Thanks.

Cheers, Shane

120.89.55.2
122.167.122.154
177.102.83.122
177.18.205.121
177.33.204.229
177.9.128.191
177.9.251.8
177.98.75.236
178.199.169.1
186.192.42.2
186.218.244.147
186.228.40.148
187.115.110.51
187.127.105.148
187.14.60.92
187.17.241.162
187.5.98.172
187.52.72.37
187.53.27.26
187.53.29.35
188.81.207.30
188.81.74.191
188.82.184.161
188.83.68.220
188.83.70.21
189.1.140.229
189.10.66.158
189.101.214.240
189.110.153.217
189.113.131.195
189.114.123.217
189.123.210.70
189.18.162.45
189.31.21.208
189.31.7.242
189.33.251.148
189.54.127.48
189.58.59.73
189.58.98.55
190.251.32.59
194.65.122.241
195.23.154.128
195.23.50.162
2.81.57.183
2.82.18.54
2.82.211.212
2.83.238.18
2.97.214.111
200.112.104.118
200.159.212.46
200.168.101.79
200.207.42.57
201.1.118.53
201.1.186.48
201.10.145.133
201.13.61.177
201.2.26.248
201.35.224.132
201.42.70.61
201.68.48.99
201.68.97.124
201.85.67.117
203.219.176.108
212.183.140.19
213.190.200.14
217.129.134.104
41.72.29.139
46.189.129.161
46.50.71.172
58.8.23.65
62.28.69.174
62.48.229.49
77.208.117.148
77.54.15.95
78.29.186.197
79.169.108.69
80.224.177.44
82.154.174.188
82.154.184.5
82.154.251.175
82.155.195.90
82.155.85.177
83.240.166.138
83.240.247.249
85.138.224.194
85.240.23.105
85.241.79.114
85.242.40.109
85.244.182.113
85.246.0.23
85.246.15.72
87.254.228.63
88.171.235.26
88.210.64.47
89.180.181.155
89.214.239.217
90.162.110.155
92.250.102.27
93.108.179.116
95.92.145.117
95.92.171.142
95.93.94.193
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



Unless otherwise stated, this email is confidential. If received in error, please delete and inform the sender by return email. Unauthorised use, copying or distribution is prohibited. Westpac Banking Corporation (ABN 33 007 457 141) is not responsible for viruses, or for delays, errors or interception in transmission. Unless stated or apparent from its terms, any opinion is not the opinion of Westpac Banking Corporation. This message also includes information on Westpac Institutional Bank available at westpac.com.au/wibinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120302/62a56520/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 3199 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120302/62a56520/attachment.gif>

More information about the AusNOG mailing list