[AusNOG] Some pointers on dealing with a botnet targeting an application server

Shane MacPhillamy shane at blinkmobile.com.au
Fri Mar 2 08:51:02 EST 2012 

Hi Peter

The response to this request is something along the lines of "invalid request".

Cheers, Shane
On 02/03/2012, at 8:37 AM, Peter Tiggerdine wrote:

> mod_sec would be the tool of choice to stop this followed by some glue to your favourite IPS. The question is what http code was returned by your web server?
> 
> Regards,
> 
> Peter Tiggerdine
> 
> 
>> On 02/03/2012 7:30 AM, "Shane MacPhillamy" <shane at blinkmobile.com.au> wrote:
>> 
>> Hi
>> 
>> We appear to have a botnet trying to target one of our application servers, by posting GETs referencing URI paths like:
>> 
>> ../../../../../../../../../../../../../../../../etc/passwd
>> ../../../../../../../../../../../../../../../../etc/passwd%00
>> ../../../../../../../../../../../../../../../../proc/self/environ
>> ../../../../../../../../../../../../../../../../proc/self/environ%00
>> ../../../../../../../../../../../../../../../../proc/self/environ
>> 
>> The addresses that the requests have come from so far, are listed at the end of the email. Is there any specific action we can take to stop the activity, or should we just put up with it. Blocking /24 IP address blocks wouldn't appear to be an effective strategy.
>> 
>> Thanks.
>> 
>> Cheers, Shane
>> 
>> 120.89.55.2
>> 122.167.122.154
>> 177.102.83.122
>> 177.18.205.121
>> 177.33.204.229
>> 177.9.128.191
>> 177.9.251.8
>> 177.98.75.236
>> 178.199.169.1
>> 186.192.42.2
>> 186.218.244.147
>> 186.228.40.148
>> 187.115.110.51
>> 187.127.105.148
>> 187.14.60.92
>> 187.17.241.162
>> 187.5.98.172
>> 187.52.72.37
>> 187.53.27.26
>> 187.53.29.35
>> 188.81.207.30
>> 188.81.74.191
>> 188.82.184.161
>> 188.83.68.220
>> 188.83.70.21
>> 189.1.140.229
>> 189.10.66.158
>> 189.101.214.240
>> 189.110.153.217
>> 189.113.131.195
>> 189.114.123.217
>> 189.123.210.70
>> 189.18.162.45
>> 189.31.21.208
>> 189.31.7.242
>> 189.33.251.148
>> 189.54.127.48
>> 189.58.59.73
>> 189.58.98.55
>> 190.251.32.59
>> 194.65.122.241
>> 195.23.154.128
>> 195.23.50.162
>> 2.81.57.183
>> 2.82.18.54
>> 2.82.211.212
>> 2.83.238.18
>> 2.97.214.111
>> 200.112.104.118
>> 200.159.212.46
>> 200.168.101.79
>> 200.207.42.57
>> 201.1.118.53
>> 201.1.186.48
>> 201.10.145.133
>> 201.13.61.177
>> 201.2.26.248
>> 201.35.224.132
>> 201.42.70.61
>> 201.68.48.99
>> 201.68.97.124
>> 201.85.67.117
>> 203.219.176.108
>> 212.183.140.19
>> 213.190.200.14
>> 217.129.134.104
>> 41.72.29.139
>> 46.189.129.161
>> 46.50.71.172
>> 58.8.23.65
>> 62.28.69.174
>> 62.48.229.49
>> 77.208.117.148
>> 77.54.15.95
>> 78.29.186.197
>> 79.169.108.69
>> 80.224.177.44
>> 82.154.174.188
>> 82.154.184.5
>> 82.154.251.175
>> 82.155.195.90
>> 82.155.85.177
>> 83.240.166.138
>> 83.240.247.249
>> 85.138.224.194
>> 85.240.23.105
>> 85.241.79.114
>> 85.242.40.109
>> 85.244.182.113
>> 85.246.0.23
>> 85.246.15.72
>> 87.254.228.63
>> 88.171.235.26
>> 88.210.64.47
>> 89.180.181.155
>> 89.214.239.217
>> 90.162.110.155
>> 92.250.102.27
>> 93.108.179.116
>> 95.92.145.117
>> 95.92.171.142
>> 95.93.94.193
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120302/d37a4557/attachment.html>

More information about the AusNOG mailing list