[AusNOG] Some pointers on dealing with a botnet targeting an application server

Peter Tiggerdine ptiggerdine at gmail.com
Fri Mar 2 08:37:54 EST 2012


mod_sec would be the tool of choice to stop this followed by some glue to
your favourite IPS. The question is what http code was returned by your web
server?

Regards,

Peter Tiggerdine

On 02/03/2012 7:30 AM, "Shane MacPhillamy" <shane at blinkmobile.com.au> wrote:

Hi

We appear to have a botnet trying to target one of our application servers,
by posting GETs referencing URI paths like:

../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd%00
../../../../../../../../../../../../../../../../proc/self/environ
../../../../../../../../../../../../../../../../proc/self/environ%00
../../../../../../../../../../../../../../../../proc/self/environ

The addresses that the requests have come from so far, are listed at the
end of the email. Is there any specific action we can take to stop the
activity, or should we just put up with it. Blocking /24 IP address blocks
wouldn't appear to be an effective strategy.

Thanks.

Cheers, Shane

120.89.55.2
122.167.122.154
177.102.83.122
177.18.205.121
177.33.204.229
177.9.128.191
177.9.251.8
177.98.75.236
178.199.169.1
186.192.42.2
186.218.244.147
186.228.40.148
187.115.110.51
187.127.105.148
187.14.60.92
187.17.241.162
187.5.98.172
187.52.72.37
187.53.27.26
187.53.29.35
188.81.207.30
188.81.74.191
188.82.184.161
188.83.68.220
188.83.70.21
189.1.140.229
189.10.66.158
189.101.214.240
189.110.153.217
189.113.131.195
189.114.123.217
189.123.210.70
189.18.162.45
189.31.21.208
189.31.7.242
189.33.251.148
189.54.127.48
189.58.59.73
189.58.98.55
190.251.32.59
194.65.122.241
195.23.154.128
195.23.50.162
2.81.57.183
2.82.18.54
2.82.211.212
2.83.238.18
2.97.214.111
200.112.104.118
200.159.212.46
200.168.101.79
200.207.42.57
201.1.118.53
201.1.186.48
201.10.145.133
201.13.61.177
201.2.26.248
201.35.224.132
201.42.70.61
201.68.48.99
201.68.97.124
201.85.67.117
203.219.176.108
212.183.140.19
213.190.200.14
217.129.134.104
41.72.29.139
46.189.129.161
46.50.71.172
58.8.23.65
62.28.69.174
62.48.229.49
77.208.117.148
77.54.15.95
78.29.186.197
79.169.108.69
80.224.177.44
82.154.174.188
82.154.184.5
82.154.251.175
82.155.195.90
82.155.85.177
83.240.166.138
83.240.247.249
85.138.224.194
85.240.23.105
85.241.79.114
85.242.40.109
85.244.182.113
85.246.0.23
85.246.15.72
87.254.228.63
88.171.235.26
88.210.64.47
89.180.181.155
89.214.239.217
90.162.110.155
92.250.102.27
93.108.179.116
95.92.145.117
95.92.171.142
95.93.94.193
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120302/2927be56/attachment.html>


More information about the AusNOG mailing list