<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Andrew<div><br></div><div>Thanks for your perspective. We have taken pretty much a similar strategy, plus putting additional measures in place.</div><div><br></div><div>Cheers, Shane<br><div><div>On 02/03/2012, at 9:53 AM, Andrew Stoker wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">

<br><font size="2" face="sans-serif">Hi Shane,</font>

<br>

<br><font size="2" face="sans-serif">I've been getting the following from

one of my sites since early Thursday morning. It's a WordPress Site and

I have various things in place along with mod_security and mod-evasive

on Apache.</font>

<br>

<br><font size="2" face="sans-serif">Seems to stop any damage from being

caused.</font>

<br>

<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>

<br><font size="2" face="sans-serif">s = ../../../../../../../../../../../../../../../../proc/self/environ</font>

<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>

<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>

<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>

<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>

<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>

<br><font size="2" face="sans-serif">doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ</font>

<br>

<br>

<br><font size="2" face="sans-serif">62.169.111.176</font>

<br><font size="2" face="sans-serif">85.241.79.114</font>

<br><font size="2" face="sans-serif">173.34.19.82</font>

<br><font size="2" face="sans-serif">177.60.22.79</font>

<br><font size="2" face="sans-serif">187.106.172.115</font>

<br><font size="2" face="sans-serif">187.7.37.211</font>

<br><font size="2" face="sans-serif">189.55.112.87</font>

<br><font size="2" face="sans-serif">201.78.251.90<br>

</font>

<table>

<tbody><tr>

<td><font size="2" face="Default">Regards,<br>

Andrew Stoker</font><font size="1" color="#808080" face="Arial"><br>

<b><br>

Andrew Stoker</b> | Senior Associate,Senior Analyst Programmer | WIB Technology

- Trade Project<b><br>

Westpac Institutional Bank</b> | 13, 55 Market Street, Sydney, NSW 2000<b><br>

T</b> +61 2 8254 (1)7673 | <b>F</b> +61 2 8254 (1)0570 | <b>M</b> +61 0438

879 578 | <b>E</b> </font><a href="mailto:astoker@westpac.com.au"><font size="1" color="blue" face="Arial"><u>astoker@westpac.com.au</u></font></a>

</td><td>

</td><td>

</td></tr><tr>

<td>

</td><td>

</td><td><span><Mail Attachment.gif></span></td></tr></tbody></table>

<br>

<br>

<br>

<br>

<table width="100%">

<tbody><tr valign="top">

<td width="40%"><font size="1" face="sans-serif"><b>Shane MacPhillamy <<a href="mailto:shane@blinkmobile.com.au">shane@blinkmobile.com.au</a>></b>

</font>

<br><font size="1" face="sans-serif">Sent by: <a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a></font><p><font size="1" face="sans-serif">02/03/2012 08:31 AM</font>

</p></td><td width="59%">

<table width="100%">

<tbody><tr valign="top">

<td>

<div align="right"><font size="1" face="sans-serif">To</font></div>

</td><td><font size="1" face="sans-serif"><a href="mailto:ausnog@ausnog.net">ausnog@ausnog.net</a></font>

</td></tr><tr valign="top">

<td>

<div align="right"><font size="1" face="sans-serif">cc</font></div>

</td><td>

</td></tr><tr valign="top">

<td>

<div align="right"><font size="1" face="sans-serif">Subject</font></div>

</td><td><font size="1" face="sans-serif">[AusNOG] Some pointers on dealing with

a botnet targeting an        application server</font></td></tr></tbody></table>

<br>

<table>

<tbody><tr valign="top">

<td>

</td><td></td></tr></tbody></table>

<br></td></tr></tbody></table>

<br>

<br>

<br><tt><font size="2">Hi<br>

<br>

We appear to have a botnet trying to target one of our application servers,

by posting GETs referencing URI paths like:<br>

<br>

../../../../../../../../../../../../../../../../etc/passwd<br>

../../../../../../../../../../../../../../../../etc/passwd%00<br>

../../../../../../../../../../../../../../../../proc/self/environ<br>

../../../../../../../../../../../../../../../../proc/self/environ%00<br>

../../../../../../../../../../../../../../../../proc/self/environ<br>

<br>

The addresses that the requests have come from so far, are listed at the

end of the email. Is there any specific action we can take to stop the

activity, or should we just put up with it. Blocking /24 IP address blocks

wouldn't appear to be an effective strategy.<br>

<br>

Thanks.<br>

<br>

Cheers, Shane<br>

<br>

120.89.55.2<br>

122.167.122.154<br>

177.102.83.122<br>

177.18.205.121<br>

177.33.204.229<br>

177.9.128.191<br>

177.9.251.8<br>

177.98.75.236<br>

178.199.169.1<br>

186.192.42.2<br>

186.218.244.147<br>

186.228.40.148<br>

187.115.110.51<br>

187.127.105.148<br>

187.14.60.92<br>

187.17.241.162<br>

187.5.98.172<br>

187.52.72.37<br>

187.53.27.26<br>

187.53.29.35<br>

188.81.207.30<br>

188.81.74.191<br>

188.82.184.161<br>

188.83.68.220<br>

188.83.70.21<br>

189.1.140.229<br>

189.10.66.158<br>

189.101.214.240<br>

189.110.153.217<br>

189.113.131.195<br>

189.114.123.217<br>

189.123.210.70<br>

189.18.162.45<br>

189.31.21.208<br>

189.31.7.242<br>

189.33.251.148<br>

189.54.127.48<br>

189.58.59.73<br>

189.58.98.55<br>

190.251.32.59<br>

194.65.122.241<br>

195.23.154.128<br>

195.23.50.162<br>

2.81.57.183<br>

2.82.18.54<br>

2.82.211.212<br>

2.83.238.18<br>

2.97.214.111<br>

200.112.104.118<br>

200.159.212.46<br>

200.168.101.79<br>

200.207.42.57<br>

201.1.118.53<br>

201.1.186.48<br>

201.10.145.133<br>

201.13.61.177<br>

201.2.26.248<br>

201.35.224.132<br>

201.42.70.61<br>

201.68.48.99<br>

201.68.97.124<br>

201.85.67.117<br>

203.219.176.108<br>

212.183.140.19<br>

213.190.200.14<br>

217.129.134.104<br>

41.72.29.139<br>

46.189.129.161<br>

46.50.71.172<br>

58.8.23.65<br>

62.28.69.174<br>

62.48.229.49<br>

77.208.117.148<br>

77.54.15.95<br>

78.29.186.197<br>

79.169.108.69<br>

80.224.177.44<br>

82.154.174.188<br>

82.154.184.5<br>

82.154.251.175<br>

82.155.195.90<br>

82.155.85.177<br>

83.240.166.138<br>

83.240.247.249<br>

85.138.224.194<br>

85.240.23.105<br>

85.241.79.114<br>

85.242.40.109<br>

85.244.182.113<br>

85.246.0.23<br>

85.246.15.72<br>

87.254.228.63<br>

88.171.235.26<br>

88.210.64.47<br>

89.180.181.155<br>

89.214.239.217<br>

90.162.110.155<br>

92.250.102.27<br>

93.108.179.116<br>

95.92.145.117<br>

95.92.171.142<br>

95.93.94.193<br>

_______________________________________________<br>

AusNOG mailing list<br>

<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>

<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>

</font></tt>

<br>

<br clear="both">

Unless otherwise stated, this email is confidential. If received in error, please delete and inform the sender by return email. Unauthorised use, copying or distribution is prohibited. Westpac Banking Corporation (ABN 33 007 457 141) is not responsible for viruses, or for delays, errors or interception in transmission. Unless stated or apparent from its terms, any opinion is not the opinion of Westpac Banking Corporation. This message also includes information on Westpac Institutional Bank available at <a href="http://westpac.com.au/wibinfo">westpac.com.au/wibinfo</a><br>

_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>http://lists.ausnog.net/mailman/listinfo/ausnog<br></blockquote></div><br></div></body></html>