[AusNOG] Some pointers on dealing with a botnet targeting an application server

Richard richard at staff.msi.net.au
Fri Mar 2 08:38:43 EST 2012 

Hi Shane,

Something like this may be of use:

http://www.fail2ban.org/wiki/index.php/Main_Page

You could use similar logic to take action at your border rather than on
individual host machines. It should be pretty simple to grep evil GET
requests from a HTTP log, awk out the correct field, then schedule the
above to occur automatically.

Cheers,

Richard

On Fri, 2012-03-02 at 08:30 +1100, Shane MacPhillamy wrote:
> Hi
> 
> We appear to have a botnet trying to target one of our application servers, by posting GETs referencing URI paths like:
> 
> ../../../../../../../../../../../../../../../../etc/passwd
> ../../../../../../../../../../../../../../../../etc/passwd%00
> ../../../../../../../../../../../../../../../../proc/self/environ
> ../../../../../../../../../../../../../../../../proc/self/environ%00
> ../../../../../../../../../../../../../../../../proc/self/environ
> 
> The addresses that the requests have come from so far, are listed at the end of the email. Is there any specific action we can take to stop the activity, or should we just put up with it. Blocking /24 IP address blocks wouldn't appear to be an effective strategy.
> 
> Thanks.
> 
> Cheers, Shane
> 
> 120.89.55.2
> 122.167.122.154
> 177.102.83.122
> 177.18.205.121
> 177.33.204.229
> 177.9.128.191
> 177.9.251.8
> 177.98.75.236
> 178.199.169.1
> 186.192.42.2
> 186.218.244.147
> 186.228.40.148
> 187.115.110.51
> 187.127.105.148
> 187.14.60.92
> 187.17.241.162
> 187.5.98.172
> 187.52.72.37
> 187.53.27.26
> 187.53.29.35
> 188.81.207.30
> 188.81.74.191
> 188.82.184.161
> 188.83.68.220
> 188.83.70.21
> 189.1.140.229
> 189.10.66.158
> 189.101.214.240
> 189.110.153.217
> 189.113.131.195
> 189.114.123.217
> 189.123.210.70
> 189.18.162.45
> 189.31.21.208
> 189.31.7.242
> 189.33.251.148
> 189.54.127.48
> 189.58.59.73
> 189.58.98.55
> 190.251.32.59
> 194.65.122.241
> 195.23.154.128
> 195.23.50.162
> 2.81.57.183
> 2.82.18.54
> 2.82.211.212
> 2.83.238.18
> 2.97.214.111
> 200.112.104.118
> 200.159.212.46
> 200.168.101.79
> 200.207.42.57
> 201.1.118.53
> 201.1.186.48
> 201.10.145.133
> 201.13.61.177
> 201.2.26.248
> 201.35.224.132
> 201.42.70.61
> 201.68.48.99
> 201.68.97.124
> 201.85.67.117
> 203.219.176.108
> 212.183.140.19
> 213.190.200.14
> 217.129.134.104
> 41.72.29.139
> 46.189.129.161
> 46.50.71.172
> 58.8.23.65
> 62.28.69.174
> 62.48.229.49
> 77.208.117.148
> 77.54.15.95
> 78.29.186.197
> 79.169.108.69
> 80.224.177.44
> 82.154.174.188
> 82.154.184.5
> 82.154.251.175
> 82.155.195.90
> 82.155.85.177
> 83.240.166.138
> 83.240.247.249
> 85.138.224.194
> 85.240.23.105
> 85.241.79.114
> 85.242.40.109
> 85.244.182.113
> 85.246.0.23
> 85.246.15.72
> 87.254.228.63
> 88.171.235.26
> 88.210.64.47
> 89.180.181.155
> 89.214.239.217
> 90.162.110.155
> 92.250.102.27
> 93.108.179.116
> 95.92.145.117
> 95.92.171.142
> 95.93.94.193
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-- 
Managed Solutions Internet

Office: 1300 663 144
Fax   : 07 3812 1751

Disclaimer:
http://msi.net.au/disclaimer

More information about the AusNOG mailing list