<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Andrew<div><br></div><div>Thanks for your perspective. We have taken pretty much a similar strategy, plus putting additional measures in place.</div><div><br></div><div>Cheers, Shane<br><div><div>On 02/03/2012, at 9:53 AM, Andrew Stoker wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<br><font size="2" face="sans-serif">Hi Shane,</font>
<br>
<br><font size="2" face="sans-serif">I've been getting the following from
one of my sites since early Thursday morning. It's a WordPress Site and
I have various things in place along with mod_security and mod-evasive
on Apache.</font>
<br>
<br><font size="2" face="sans-serif">Seems to stop any damage from being
caused.</font>
<br>
<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>
<br><font size="2" face="sans-serif">s = ../../../../../../../../../../../../../../../../proc/self/environ</font>
<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>
<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>
<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>
<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>
<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>
<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>
<br>
<br>
<br><font size="2" face="sans-serif">62.169.111.176</font>
<br><font size="2" face="sans-serif">85.241.79.114</font>
<br><font size="2" face="sans-serif">173.34.19.82</font>
<br><font size="2" face="sans-serif">177.60.22.79</font>
<br><font size="2" face="sans-serif">187.106.172.115</font>
<br><font size="2" face="sans-serif">187.7.37.211</font>
<br><font size="2" face="sans-serif">189.55.112.87</font>
<br><font size="2" face="sans-serif">201.78.251.90<br>
</font>
<table>
<tbody><tr>
<td><font size="2" face="Default">Regards,<br>
Andrew Stoker</font><font size="1" color="#808080" face="Arial"><br>
<b><br>
Andrew Stoker</b> | Senior Associate,Senior Analyst Programmer | WIB Technology
- Trade Project<b><br>
Westpac Institutional Bank</b> | 13, 55 Market Street, Sydney, NSW 2000<b><br>
T</b> +61 2 8254 (1)7673 | <b>F</b> +61 2 8254 (1)0570 | <b>M</b> +61 0438
879 578 | <b>E</b> </font><a href="mailto:astoker@westpac.com.au"><font size="1" color="blue" face="Arial"><u>astoker@westpac.com.au</u></font></a>
</td><td>
</td><td>
</td></tr><tr>
<td>
</td><td>
</td><td><span><Mail Attachment.gif></span></td></tr></tbody></table>
<br>
<br>
<br>
<br>
<table width="100%">
<tbody><tr valign="top">
<td width="40%"><font size="1" face="sans-serif"><b>Shane MacPhillamy <<a href="mailto:shane@blinkmobile.com.au">shane@blinkmobile.com.au</a>></b>
</font>
<br><font size="1" face="sans-serif">Sent by: <a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a></font><p><font size="1" face="sans-serif">02/03/2012 08:31 AM</font>
</p></td><td width="59%">
<table width="100%">
<tbody><tr valign="top">
<td>
<div align="right"><font size="1" face="sans-serif">To</font></div>
</td><td><font size="1" face="sans-serif"><a href="mailto:ausnog@ausnog.net">ausnog@ausnog.net</a></font>
</td></tr><tr valign="top">
<td>
<div align="right"><font size="1" face="sans-serif">cc</font></div>
</td><td>
</td></tr><tr valign="top">
<td>
<div align="right"><font size="1" face="sans-serif">Subject</font></div>
</td><td><font size="1" face="sans-serif">[AusNOG] Some pointers on dealing with
a botnet targeting an application server</font></td></tr></tbody></table>
<br>
<table>
<tbody><tr valign="top">
<td>
</td><td></td></tr></tbody></table>
<br></td></tr></tbody></table>
<br>
<br>
<br><tt><font size="2">Hi<br>
<br>
We appear to have a botnet trying to target one of our application servers,
by posting GETs referencing URI paths like:<br>
<br>
../../../../../../../../../../../../../../../../etc/passwd<br>
../../../../../../../../../../../../../../../../etc/passwd%00<br>
../../../../../../../../../../../../../../../../proc/self/environ<br>
../../../../../../../../../../../../../../../../proc/self/environ%00<br>
../../../../../../../../../../../../../../../../proc/self/environ<br>
<br>
The addresses that the requests have come from so far, are listed at the
end of the email. Is there any specific action we can take to stop the
activity, or should we just put up with it. Blocking /24 IP address blocks
wouldn't appear to be an effective strategy.<br>
<br>
Thanks.<br>
<br>
Cheers, Shane<br>
<br>
120.89.55.2<br>
122.167.122.154<br>
177.102.83.122<br>
177.18.205.121<br>
177.33.204.229<br>
177.9.128.191<br>
177.9.251.8<br>
177.98.75.236<br>
178.199.169.1<br>
186.192.42.2<br>
186.218.244.147<br>
186.228.40.148<br>
187.115.110.51<br>
187.127.105.148<br>
187.14.60.92<br>
187.17.241.162<br>
187.5.98.172<br>
187.52.72.37<br>
187.53.27.26<br>
187.53.29.35<br>
188.81.207.30<br>
188.81.74.191<br>
188.82.184.161<br>
188.83.68.220<br>
188.83.70.21<br>
189.1.140.229<br>
189.10.66.158<br>
189.101.214.240<br>
189.110.153.217<br>
189.113.131.195<br>
189.114.123.217<br>
189.123.210.70<br>
189.18.162.45<br>
189.31.21.208<br>
189.31.7.242<br>
189.33.251.148<br>
189.54.127.48<br>
189.58.59.73<br>
189.58.98.55<br>
190.251.32.59<br>
194.65.122.241<br>
195.23.154.128<br>
195.23.50.162<br>
2.81.57.183<br>
2.82.18.54<br>
2.82.211.212<br>
2.83.238.18<br>
2.97.214.111<br>
200.112.104.118<br>
200.159.212.46<br>
200.168.101.79<br>
200.207.42.57<br>
201.1.118.53<br>
201.1.186.48<br>
201.10.145.133<br>
201.13.61.177<br>
201.2.26.248<br>
201.35.224.132<br>
201.42.70.61<br>
201.68.48.99<br>
201.68.97.124<br>
201.85.67.117<br>
203.219.176.108<br>
212.183.140.19<br>
213.190.200.14<br>
217.129.134.104<br>
41.72.29.139<br>
46.189.129.161<br>
46.50.71.172<br>
58.8.23.65<br>
62.28.69.174<br>
62.48.229.49<br>
77.208.117.148<br>
77.54.15.95<br>
78.29.186.197<br>
79.169.108.69<br>
80.224.177.44<br>
82.154.174.188<br>
82.154.184.5<br>
82.154.251.175<br>
82.155.195.90<br>
82.155.85.177<br>
83.240.166.138<br>
83.240.247.249<br>
85.138.224.194<br>
85.240.23.105<br>
85.241.79.114<br>
85.242.40.109<br>
85.244.182.113<br>
85.246.0.23<br>
85.246.15.72<br>
87.254.228.63<br>
88.171.235.26<br>
88.210.64.47<br>
89.180.181.155<br>
89.214.239.217<br>
90.162.110.155<br>
92.250.102.27<br>
93.108.179.116<br>
95.92.145.117<br>
95.92.171.142<br>
95.93.94.193<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</font></tt>
<br>
<br clear="both">
Unless otherwise stated, this email is confidential. If received in error, please delete and inform the sender by return email. Unauthorised use, copying or distribution is prohibited. Westpac Banking Corporation (ABN 33 007 457 141) is not responsible for viruses, or for delays, errors or interception in transmission. Unless stated or apparent from its terms, any opinion is not the opinion of Westpac Banking Corporation. This message also includes information on Westpac Institutional Bank available at <a href="http://westpac.com.au/wibinfo">westpac.com.au/wibinfo</a><br>
_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>http://lists.ausnog.net/mailman/listinfo/ausnog<br></blockquote></div><br></div></body></html>