<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">If your CMS sends cacheable headers then install something like Squid in front of it. <div><br></div><div>You could also write some apache rules to redirect URL's that match those filenames to <a href="http://localhost">http://localhost</a><br><div><br></div><div><br></div><div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="font-size: 0.9em; "><span style="font-size: 1em; font-family: Helvetica; color: rgb(55, 52, 102); font-weight: bold; ">Jacob Gardiner</span><br><span style="font-size: 0.9em; font-family: Helvetica; color: rgb(94, 94, 94); ">National Hosting Manager</span><br><span style="font-size: 0.9em; font-family: Helvetica; font-weight: bold; "><a href="http://www.squiz.com.au/" style="color: rgb(55, 52, 102); ">www.squiz.com.au</a></span><br><br><span style="font-size: 0.8em; font-family: Helvetica; color: rgb(94, 94, 94); ">435a Kent Street</span><br><span style="font-size: 0.8em; font-family: Helvetica; color: rgb(94, 94, 94); ">Sydney NSW 2000</span><br><br><span style="font-size: 0.8em; font-family: Helvetica; color: rgb(55, 53, 101); font-weight: bold; ">P</span>  <span class="Apple-converted-space"> </span><span style="font-size: 0.8em; font-family: Helvetica; color: rgb(94, 94, 94); ">+61 2 9045 2822</span>   <span class="Apple-converted-space"> </span><span style="font-size: 0.8em; font-family: Helvetica; color: rgb(55, 53, 101); font-weight: bold; ">M</span>  <span class="Apple-converted-space"> </span><span style="font-size: 0.8em; font-family: Helvetica; color: rgb(94, 94, 94); ">0424 609 192</span></div></span>
</div>
<br><div><div>On 02/03/2012, at 8:30 AM, Shane MacPhillamy wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hi<br><br>We appear to have a botnet trying to target one of our application servers, by posting GETs referencing URI paths like:<br><br>../../../../../../../../../../../../../../../../etc/passwd<br>../../../../../../../../../../../../../../../../etc/passwd%00<br>../../../../../../../../../../../../../../../../proc/self/environ<br>../../../../../../../../../../../../../../../../proc/self/environ%00<br>../../../../../../../../../../../../../../../../proc/self/environ<br><br>The addresses that the requests have come from so far, are listed at the end of the email. Is there any specific action we can take to stop the activity, or should we just put up with it. Blocking /24 IP address blocks wouldn't appear to be an effective strategy.<br><br>Thanks.<br><br>Cheers, Shane<br><br>120.89.55.2<br>122.167.122.154<br>177.102.83.122<br>177.18.205.121<br>177.33.204.229<br>177.9.128.191<br>177.9.251.8<br>177.98.75.236<br>178.199.169.1<br>186.192.42.2<br>186.218.244.147<br>186.228.40.148<br>187.115.110.51<br>187.127.105.148<br>187.14.60.92<br>187.17.241.162<br>187.5.98.172<br>187.52.72.37<br>187.53.27.26<br>187.53.29.35<br>188.81.207.30<br>188.81.74.191<br>188.82.184.161<br>188.83.68.220<br>188.83.70.21<br>189.1.140.229<br>189.10.66.158<br>189.101.214.240<br>189.110.153.217<br>189.113.131.195<br>189.114.123.217<br>189.123.210.70<br>189.18.162.45<br>189.31.21.208<br>189.31.7.242<br>189.33.251.148<br>189.54.127.48<br>189.58.59.73<br>189.58.98.55<br>190.251.32.59<br>194.65.122.241<br>195.23.154.128<br>195.23.50.162<br>2.81.57.183<br>2.82.18.54<br>2.82.211.212<br>2.83.238.18<br>2.97.214.111<br>200.112.104.118<br>200.159.212.46<br>200.168.101.79<br>200.207.42.57<br>201.1.118.53<br>201.1.186.48<br>201.10.145.133<br>201.13.61.177<br>201.2.26.248<br>201.35.224.132<br>201.42.70.61<br>201.68.48.99<br>201.68.97.124<br>201.85.67.117<br>203.219.176.108<br>212.183.140.19<br>213.190.200.14<br>217.129.134.104<br>41.72.29.139<br>46.189.129.161<br>46.50.71.172<br>58.8.23.65<br>62.28.69.174<br>62.48.229.49<br>77.208.117.148<br>77.54.15.95<br>78.29.186.197<br>79.169.108.69<br>80.224.177.44<br>82.154.174.188<br>82.154.184.5<br>82.154.251.175<br>82.155.195.90<br>82.155.85.177<br>83.240.166.138<br>83.240.247.249<br>85.138.224.194<br>85.240.23.105<br>85.241.79.114<br>85.242.40.109<br>85.244.182.113<br>85.246.0.23<br>85.246.15.72<br>87.254.228.63<br>88.171.235.26<br>88.210.64.47<br>89.180.181.155<br>89.214.239.217<br>90.162.110.155<br>92.250.102.27<br>93.108.179.116<br>95.92.145.117<br>95.92.171.142<br>95.93.94.193<br>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>http://lists.ausnog.net/mailman/listinfo/ausnog<br></div></blockquote></div><br></div></div></body></html>