
<p>mod_sec would be the tool of choice to stop this followed by some glue to your favourite IPS. The question is what http code was returned by your web server?</p>

<p>Regards,</p>

<p>Peter Tiggerdine</p>

<p><blockquote type="cite">On 02/03/2012 7:30 AM, "Shane MacPhillamy" <<a href="mailto:shane@blinkmobile.com.au">shane@blinkmobile.com.au</a>> wrote:<br><br>Hi<br>

<br>

We appear to have a botnet trying to target one of our application servers, by posting GETs referencing URI paths like:<br>

<br>

../../../../../../../../../../../../../../../../etc/passwd<br>

../../../../../../../../../../../../../../../../etc/passwd%00<br>

../../../../../../../../../../../../../../../../proc/self/environ<br>

../../../../../../../../../../../../../../../../proc/self/environ%00<br>

../../../../../../../../../../../../../../../../proc/self/environ<br>

<br>

The addresses that the requests have come from so far, are listed at the end of the email. Is there any specific action we can take to stop the activity, or should we just put up with it. Blocking /24 IP address blocks wouldn't appear to be an effective strategy.<br>


<br>

Thanks.<br>

<br>

Cheers, Shane<br>

<br>

120.89.55.2<br>

122.167.122.154<br>

177.102.83.122<br>

177.18.205.121<br>

177.33.204.229<br>

177.9.128.191<br>

177.9.251.8<br>

177.98.75.236<br>

178.199.169.1<br>

186.192.42.2<br>

186.218.244.147<br>

186.228.40.148<br>

187.115.110.51<br>

187.127.105.148<br>

187.14.60.92<br>

187.17.241.162<br>

187.5.98.172<br>

187.52.72.37<br>

187.53.27.26<br>

187.53.29.35<br>

188.81.207.30<br>

188.81.74.191<br>

188.82.184.161<br>

188.83.68.220<br>

188.83.70.21<br>

189.1.140.229<br>

189.10.66.158<br>

189.101.214.240<br>

189.110.153.217<br>

189.113.131.195<br>

189.114.123.217<br>

189.123.210.70<br>

189.18.162.45<br>

189.31.21.208<br>

189.31.7.242<br>

189.33.251.148<br>

189.54.127.48<br>

189.58.59.73<br>

189.58.98.55<br>

<a href="tel:190.251.32.59" value="+611902513259">190.251.32.59</a><br>

194.65.122.241<br>

195.23.154.128<br>

195.23.50.162<br>

2.81.57.183<br>

2.82.18.54<br>

2.82.211.212<br>

2.83.238.18<br>

2.97.214.111<br>

200.112.104.118<br>

200.159.212.46<br>

200.168.101.79<br>

200.207.42.57<br>

201.1.118.53<br>

201.1.186.48<br>

201.10.145.133<br>

201.13.61.177<br>

201.2.26.248<br>

201.35.224.132<br>

201.42.70.61<br>

201.68.48.99<br>

201.68.97.124<br>

201.85.67.117<br>

203.219.176.108<br>

212.183.140.19<br>

213.190.200.14<br>

217.129.134.104<br>

41.72.29.139<br>

46.189.129.161<br>

46.50.71.172<br>

58.8.23.65<br>

62.28.69.174<br>

62.48.229.49<br>

77.208.117.148<br>

77.54.15.95<br>

78.29.186.197<br>

79.169.108.69<br>

80.224.177.44<br>

82.154.174.188<br>

82.154.184.5<br>

82.154.251.175<br>

82.155.195.90<br>

82.155.85.177<br>

83.240.166.138<br>

83.240.247.249<br>

85.138.224.194<br>

85.240.23.105<br>

85.241.79.114<br>

85.242.40.109<br>

85.244.182.113<br>

85.246.0.23<br>

85.246.15.72<br>

87.254.228.63<br>

88.171.235.26<br>

88.210.64.47<br>

89.180.181.155<br>

89.214.239.217<br>

90.162.110.155<br>

92.250.102.27<br>

93.108.179.116<br>

95.92.145.117<br>

95.92.171.142<br>

95.93.94.193<br>

_______________________________________________<br>

AusNOG mailing list<br>

<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>

<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>

</blockquote></p>