[AusNOG] Some pointers on dealing with a botnet targeting an application server
Shane MacPhillamy
shane at blinkmobile.com.au
Fri Mar 2 09:58:54 EST 2012
Hi Andrew
Thanks for your perspective. We have taken pretty much a similar strategy, plus putting additional measures in place.
Cheers, Shane
On 02/03/2012, at 9:53 AM, Andrew Stoker wrote:
>
> Hi Shane,
>
> I've been getting the following from one of my sites since early Thursday morning. It's a WordPress Site and I have various things in place along with mod_security and mod-evasive on Apache.
>
> Seems to stop any damage from being caused.
>
> doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ
> s = ../../../../../../../../../../../../../../../../proc/self/environ
> doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ
> doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ
> doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ
> doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ
> doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ
> doing_wp_cron = ../../../../../../../../../../../../../../../../proc/self/environ
>
>
> 62.169.111.176
> 85.241.79.114
> 173.34.19.82
> 177.60.22.79
> 187.106.172.115
> 187.7.37.211
> 189.55.112.87
> 201.78.251.90
> Regards,
> Andrew Stoker
>
> Andrew Stoker | Senior Associate,Senior Analyst Programmer | WIB Technology - Trade Project
> Westpac Institutional Bank | 13, 55 Market Street, Sydney, NSW 2000
> T +61 2 8254 (1)7673 | F +61 2 8254 (1)0570 | M +61 0438 879 578 | E astoker at westpac.com.au
> <Mail Attachment.gif>
>
>
>
>
> Shane MacPhillamy <shane at blinkmobile.com.au>
> Sent by: ausnog-bounces at lists.ausnog.net
> 02/03/2012 08:31 AM
>
> To
> ausnog at ausnog.net
> cc
> Subject
> [AusNOG] Some pointers on dealing with a botnet targeting an application server
>
>
>
>
>
> Hi
>
> We appear to have a botnet trying to target one of our application servers, by posting GETs referencing URI paths like:
>
> ../../../../../../../../../../../../../../../../etc/passwd
> ../../../../../../../../../../../../../../../../etc/passwd%00
> ../../../../../../../../../../../../../../../../proc/self/environ
> ../../../../../../../../../../../../../../../../proc/self/environ%00
> ../../../../../../../../../../../../../../../../proc/self/environ
>
> The addresses that the requests have come from so far, are listed at the end of the email. Is there any specific action we can take to stop the activity, or should we just put up with it. Blocking /24 IP address blocks wouldn't appear to be an effective strategy.
>
> Thanks.
>
> Cheers, Shane
>
> 120.89.55.2
> 122.167.122.154
> 177.102.83.122
> 177.18.205.121
> 177.33.204.229
> 177.9.128.191
> 177.9.251.8
> 177.98.75.236
> 178.199.169.1
> 186.192.42.2
> 186.218.244.147
> 186.228.40.148
> 187.115.110.51
> 187.127.105.148
> 187.14.60.92
> 187.17.241.162
> 187.5.98.172
> 187.52.72.37
> 187.53.27.26
> 187.53.29.35
> 188.81.207.30
> 188.81.74.191
> 188.82.184.161
> 188.83.68.220
> 188.83.70.21
> 189.1.140.229
> 189.10.66.158
> 189.101.214.240
> 189.110.153.217
> 189.113.131.195
> 189.114.123.217
> 189.123.210.70
> 189.18.162.45
> 189.31.21.208
> 189.31.7.242
> 189.33.251.148
> 189.54.127.48
> 189.58.59.73
> 189.58.98.55
> 190.251.32.59
> 194.65.122.241
> 195.23.154.128
> 195.23.50.162
> 2.81.57.183
> 2.82.18.54
> 2.82.211.212
> 2.83.238.18
> 2.97.214.111
> 200.112.104.118
> 200.159.212.46
> 200.168.101.79
> 200.207.42.57
> 201.1.118.53
> 201.1.186.48
> 201.10.145.133
> 201.13.61.177
> 201.2.26.248
> 201.35.224.132
> 201.42.70.61
> 201.68.48.99
> 201.68.97.124
> 201.85.67.117
> 203.219.176.108
> 212.183.140.19
> 213.190.200.14
> 217.129.134.104
> 41.72.29.139
> 46.189.129.161
> 46.50.71.172
> 58.8.23.65
> 62.28.69.174
> 62.48.229.49
> 77.208.117.148
> 77.54.15.95
> 78.29.186.197
> 79.169.108.69
> 80.224.177.44
> 82.154.174.188
> 82.154.184.5
> 82.154.251.175
> 82.155.195.90
> 82.155.85.177
> 83.240.166.138
> 83.240.247.249
> 85.138.224.194
> 85.240.23.105
> 85.241.79.114
> 85.242.40.109
> 85.244.182.113
> 85.246.0.23
> 85.246.15.72
> 87.254.228.63
> 88.171.235.26
> 88.210.64.47
> 89.180.181.155
> 89.214.239.217
> 90.162.110.155
> 92.250.102.27
> 93.108.179.116
> 95.92.145.117
> 95.92.171.142
> 95.93.94.193
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> Unless otherwise stated, this email is confidential. If received in error, please delete and inform the sender by return email. Unauthorised use, copying or distribution is prohibited. Westpac Banking Corporation (ABN 33 007 457 141) is not responsible for viruses, or for delays, errors or interception in transmission. Unless stated or apparent from its terms, any opinion is not the opinion of Westpac Banking Corporation. This message also includes information on Westpac Institutional Bank available at westpac.com.au/wibinfo
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120302/c8535cd7/attachment.html>
More information about the AusNOG
mailing list