[AusNOG] Some pointers on dealing with a botnet targeting an application server

Jacob Gardiner jgardiner at squiz.com.au
Fri Mar 2 08:45:17 EST 2012 

If your CMS sends cacheable headers then install something like Squid in front of it. 

You could also write some apache rules to redirect URL's that match those filenames to http://localhost



Jacob Gardiner
National Hosting Manager
www.squiz.com.au

435a Kent Street
Sydney NSW 2000

P   +61 2 9045 2822    M   0424 609 192

On 02/03/2012, at 8:30 AM, Shane MacPhillamy wrote:

> Hi
> 
> We appear to have a botnet trying to target one of our application servers, by posting GETs referencing URI paths like:
> 
> ../../../../../../../../../../../../../../../../etc/passwd
> ../../../../../../../../../../../../../../../../etc/passwd%00
> ../../../../../../../../../../../../../../../../proc/self/environ
> ../../../../../../../../../../../../../../../../proc/self/environ%00
> ../../../../../../../../../../../../../../../../proc/self/environ
> 
> The addresses that the requests have come from so far, are listed at the end of the email. Is there any specific action we can take to stop the activity, or should we just put up with it. Blocking /24 IP address blocks wouldn't appear to be an effective strategy.
> 
> Thanks.
> 
> Cheers, Shane
> 
> 120.89.55.2
> 122.167.122.154
> 177.102.83.122
> 177.18.205.121
> 177.33.204.229
> 177.9.128.191
> 177.9.251.8
> 177.98.75.236
> 178.199.169.1
> 186.192.42.2
> 186.218.244.147
> 186.228.40.148
> 187.115.110.51
> 187.127.105.148
> 187.14.60.92
> 187.17.241.162
> 187.5.98.172
> 187.52.72.37
> 187.53.27.26
> 187.53.29.35
> 188.81.207.30
> 188.81.74.191
> 188.82.184.161
> 188.83.68.220
> 188.83.70.21
> 189.1.140.229
> 189.10.66.158
> 189.101.214.240
> 189.110.153.217
> 189.113.131.195
> 189.114.123.217
> 189.123.210.70
> 189.18.162.45
> 189.31.21.208
> 189.31.7.242
> 189.33.251.148
> 189.54.127.48
> 189.58.59.73
> 189.58.98.55
> 190.251.32.59
> 194.65.122.241
> 195.23.154.128
> 195.23.50.162
> 2.81.57.183
> 2.82.18.54
> 2.82.211.212
> 2.83.238.18
> 2.97.214.111
> 200.112.104.118
> 200.159.212.46
> 200.168.101.79
> 200.207.42.57
> 201.1.118.53
> 201.1.186.48
> 201.10.145.133
> 201.13.61.177
> 201.2.26.248
> 201.35.224.132
> 201.42.70.61
> 201.68.48.99
> 201.68.97.124
> 201.85.67.117
> 203.219.176.108
> 212.183.140.19
> 213.190.200.14
> 217.129.134.104
> 41.72.29.139
> 46.189.129.161
> 46.50.71.172
> 58.8.23.65
> 62.28.69.174
> 62.48.229.49
> 77.208.117.148
> 77.54.15.95
> 78.29.186.197
> 79.169.108.69
> 80.224.177.44
> 82.154.174.188
> 82.154.184.5
> 82.154.251.175
> 82.155.195.90
> 82.155.85.177
> 83.240.166.138
> 83.240.247.249
> 85.138.224.194
> 85.240.23.105
> 85.241.79.114
> 85.242.40.109
> 85.244.182.113
> 85.246.0.23
> 85.246.15.72
> 87.254.228.63
> 88.171.235.26
> 88.210.64.47
> 89.180.181.155
> 89.214.239.217
> 90.162.110.155
> 92.250.102.27
> 93.108.179.116
> 95.92.145.117
> 95.92.171.142
> 95.93.94.193
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120302/845bfb0c/attachment.html>

More information about the AusNOG mailing list