[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4668: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3815)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4670: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3815)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4671: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3815)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4672: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3815)
Void's Forums • View topic - Block a domain in shorewall or host.deny?

Block a domain in shorewall or host.deny?

Place to discuss Fedora and/or Red Hat

Block a domain in shorewall or host.deny?

Postby Copperhead » Mon Aug 17, 2009 10:11 am

Copperhead
scripter
scripter
 
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Postby Void Main » Mon Aug 17, 2009 10:33 am

User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Copperhead » Mon Aug 17, 2009 10:44 am

It's really not that big of a deal since there is no real security breach, but I would like to just block both of these domains. He is my logwatch file with the pertinent entries:

wantsfly.com:

Requests with error response codes
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
403 Forbidden
/: 1 Time(s)
404 Not Found
/PMA/main.php: 1 Time(s)
/admin/PMA/main.php: 1 Time(s)
/admin/db/main.php: 1 Time(s)
/admin/htdocs/main.php: 1 Time(s)
/admin/main.php: 2 Time(s)
/admin/myadmin/main.php: 1 Time(s)
/admin/mysql-admin/main.php: 1 Time(s)
/admin/mysql/main.php: 1 Time(s)
/admin/mysqlmanager/main.php: 1 Time(s)
/admin/p/m/a/main.php: 1 Time(s)
/admin/pMA/main.php: 1 Time(s)
/admin/php-my-admin/main.php: 1 Time(s)
/admin/php-myadmin/main.php: 1 Time(s)
/admin/phpMyAdmin--alpha/main.php: 1 Time(s)
/admin/phpMyAdmin--beta/main.php: 1 Time(s)
/admin/phpMyAdmin--pl/main.php: 1 Time(s)
/admin/phpMyAdmin--rc/main.php: 1 Time(s)
/admin/phpMyAdmin-/main.php: 2 Time(s)
/admin/phpMyAdmin/main.php: 1 Time(s)
/admin/phpmanager/main.php: 1 Time(s)
/admin/phpmy-admin/main.php: 1 Time(s)
/admin/phpmyadmin/main.php: 1 Time(s)
/admin/pma/main.php: 1 Time(s)
/admin/sqladmin/main.php: 1 Time(s)
/admin/sqlmanager/main.php: 1 Time(s)
/admin/sqlweb/main.php: 1 Time(s)
/admin/sysadmin/main.php: 1 Time(s)
/admin/web/main.php: 1 Time(s)
/admin/webadmin/main.php: 1 Time(s)
/admin/webdb/main.php: 1 Time(s)
/admin/websql/main.php: 1 Time(s)
/db/main.php: 1 Time(s)
/dbadmin/main.php: 1 Time(s)
/htdocs/main.php: 1 Time(s)
/myadmin/main.php: 2 Time(s)
/mysql-admin/main.php: 1 Time(s)
/mysql/main.php: 1 Time(s)
/mysqladmin/main.php: 1 Time(s)
/mysqlmanager/main.php: 1 Time(s)
/p/m/a/main.php: 1 Time(s)
/php-my-admin/main.php: 1 Time(s)
/php-myadmin/main.php: 1 Time(s)
/phpMyAdmin: 5 Time(s)
/phpMyAdmin--alpha/main.php: 1 Time(s)
/phpMyAdmin--beta/main.php: 1 Time(s)
/phpMyAdmin--pl/main.php: 1 Time(s)
/phpMyAdmin--rc/main.php: 1 Time(s)
/phpMyAdmin-/main.php: 2 Time(s)
/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/phpMyAdmin-2.2.7-pl1/main.php: 2 Time(s)
/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/phpMyAdmin-2.5.7-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.0-pl3/main.php: 2 Time(s)
/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/phpMyAdmin-2.6.1-pl3/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.4/main.php: 1 Time(s)
/phpMyAdmin/main.php: 1 Time(s)
/phpadmin/main.php: 1 Time(s)
/phpmanager/main.php: 1 Time(s)
/phpmy-admin/main.php: 1 Time(s)
/phpmyadmin/main.php: 1 Time(s)
/phpmyadmin1/main.php: 1 Time(s)
/phpmyadmin2/main.php: 1 Time(s)
/pma/main.php: 1 Time(s)
/robots.txt: 1 Time(s)
/sqlmanager/main.php: 1 Time(s)
/sqlweb/main.php: 1 Time(s)
/typo3/phpmyadmin/main.php: 1 Time(s)
/web/main.php: 1 Time(s)
/web/phpMyAdmin/main.php: 1 Time(s)
/webadmin/main.php: 1 Time(s)
/webdb/main.php: 1 Time(s)
/websql/main.php: 1 Time(s)
/xampp/phpmyadmin/main.php: 1 Time(s)
http://www.wantsfly.com/prx.php?hash=CEC7D ... AFEDE8BC06A138E: 1 Time(s)


And here is the entry from hinet.net:

NOQUEUE: reject: RCPT from 123-205-234-254.adsl.dynamic.seed.net.tw[123.205.234.254]: 554 5.7.1 <sseenndd0622@yahoo.com.hk>: Relay access denied; from=<bh6j.8k4f9@msa.hinet.net> to=<sseenndd0622@yahoo.com.hk> proto=SMTP helo=<24.43.128.82>

I looked up both of these on google. wantsly.com is somewhere in China, as is hinet.net. I was just wondering if there was a way to block both of these domains from even receiving a response from my firewall/server.
Copperhead
scripter
scripter
 
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Postby Void Main » Mon Aug 17, 2009 11:07 am

Like I said, you can't block an IP address just because it happens to resolve as part of a particular DNS domain in real time because the firewall would have to resolve that IP address to a name and then match it up to a domain rule. I don't know of any firewall that will do that actually.

What you can do is look through your logs and find every host that tries to connect that resides in one of those domains and add that IP address to the block list in your firewall. If it is a small number of addresses, just add them to your block list.

You could also do something like I did when code red virus was hitting hard. I wrote a that would be called like "block <ipaddr>". When I detected a code red hit I just called that script and blocked that address so it wouldn't be able to keep pounding my server. Something a little more drastic is you could . You can't do it by DNS domain at your firewall though.

Having said that you "could" deny based on domain in your Apache configuration. In fact, I would suggest that you at least tighten up your administrative sections (phpMyAdmin, etc) to only allow specific IP addresses or network ranges (or domain) that you need to access it from.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Copperhead » Mon Aug 17, 2009 11:21 am

Thanks. I will give those a look.

I don't have phpmyadmin, or anything like that installed, so no harm no foul, I guess. This has been going on for the past two weeks from the same range of addresses, so I am guessing it is some script kiddies trying to have some fun.
Copperhead
scripter
scripter
 
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Postby Void Main » Mon Aug 17, 2009 11:23 am

Could you list the addresses/range of addresses and we could come up with a good firewall rule to block them? That looks typical of bot client looking for specific open security holes.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Copperhead » Mon Aug 17, 2009 4:23 pm

That is exactly what it is. I found some odd entries in my log files and Googled them only to find this:

http://johannburkard.de/blog/www/spam/m ... nners.html

Sorry about the language, but it was in my log file. That page has a bunch of other scanners that i see in my logs.

I am compiling a list of all the offending IPs. We'll see if we can come up with a rule. They seem to be coming from everywhere so it might be hard to pinpoint a range.

Here is a list of the offending IPs:

63.246.145.10
61.160.216.63
65.55.211.62
38.105.83.12
92.46.175.181
208.64.68.36
216.145.11.94
212.117.177.170
74.95.238.213
91.199.207.60
83.140.28.14
Copperhead
scripter
scripter
 
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Postby Void Main » Mon Aug 17, 2009 4:55 pm

None of those addresses have reverse DNS entries in the domains you listed. One of them is an MSN search bot. If you don't want the bots indexing your site then you should set up a robots.txt file. I wouldn't be so quick to block all those addresses.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Copperhead » Mon Aug 17, 2009 6:15 pm

After some grepping, this one is coming from wantsfly.com:

61.160.216.63

and these seem to be running the malicious bot:

60.13.126.151 -- China
61.160.216.63 -- China
88.80.7.248 -- Sweden
91.199.207.60 -- Czech Republic

whois returned this on 74.95.238.213

[Querying whois.arin.net]
[whois.arin.net]
Comcast Business Communications, Inc. CBC-CM-4 (NET-74-92-0-0-1)
74.92.0.0 - 74.95.255.255
Comcast Business Communications, Inc. HOUSTON-CBC-2 (NET-74-95-224-0-1)
74.95.224.0 - 74.95.255.255

# ARIN WHOIS database, last updated 2009-08-16 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
Copperhead
scripter
scripter
 
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Postby Void Main » Mon Aug 17, 2009 6:20 pm

User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Copperhead » Mon Aug 17, 2009 6:25 pm

Maybe I am reading the log entry wrong then:

access.log:

61.160.216.63 - - [11/Aug/2009:12:04:51 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

That line is in there quite a few times
Copperhead
scripter
scripter
 
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Postby Void Main » Mon Aug 17, 2009 6:37 pm

Last edited by Void Main on Mon Aug 17, 2009 6:48 pm, edited 2 times in total.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Copperhead » Mon Aug 17, 2009 6:46 pm

This has been going on for the past week. Here are the enteries from 61.160.216.63


access_log:61.160.216.63 - - [16/Aug/2009:12:24:18 -0700] "GET http:/??hash=CEC7D7F3C316BE4A182B80520050AAFEDE8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.1:61.160.216.63 - - [09/Aug/2009:16:10:31 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.1:61.160.216.63 - - [11/Aug/2009:12:04:51 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.1:61.160.216.63 - - [13/Aug/2009:12:38:38 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.1:61.160.216.63 - - [14/Aug/2009:10:37:42 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.2:61.160.216.63 - - [08/Aug/2009:10:21:45 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

<end log>


And it seems our friend here State-side (74.95.238.213) is running the bot:


access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:58 -0700] "GET /phpmyadmin/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:58 -0700] "GET /phpMyAdmin/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:58 -0700] "GET /db/main.php HTTP/1.0" 404 287 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:58 -0700] "GET /web/main.php HTTP/1.0" 404 288 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /htdocs/main.php HTTP/1.0" 404 291 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /PMA/main.php HTTP/1.0" 404 288 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /admin/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /dbadmin/main.php HTTP/1.0" 404 292 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /pma/main.php HTTP/1.0" 404 288 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /sqlmanager/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /mysqlmanager/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /p/m/a/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /phpmanager/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /php-myadmin/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /phpmy-admin/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /mysql/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /myadmin/main.php HTTP/1.0" 404 292 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /webadmin/main.php HTTP/1.0" 404 293 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /sqlweb/main.php HTTP/1.0" 404 291 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /websql/main.php HTTP/1.0" 404 291 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /webdb/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /xampp/phpmyadmin/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /typo3/phpmyadmin/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /mysqladmin/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /mysql-admin/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /phpMyAdmin-/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /php-my-admin/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /phpMyAdmin-/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /phpMyAdmin--rc/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /phpMyAdmin--pl/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /phpMyAdmin--alpha/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /phpMyAdmin--beta/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /admin/phpMyAdmin/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /admin/sysadmin/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/sqladmin/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/db/main.php HTTP/1.0" 404 293 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/web/main.php HTTP/1.0" 404 294 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/pMA/main.php HTTP/1.0" 404 294 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/mysql/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/myadmin/main.php HTTP/1.0" 404 298 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/webadmin/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/sqlweb/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/websql/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/webdb/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/mysql-admin/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/phpMyAdmin-/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/php-my-admin/main.php HTTP/1.0" 404 303 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/PMA/main.php HTTP/1.0" 404 294 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/pma/main.php HTTP/1.0" 404 294 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/sqlmanager/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/mysqlmanager/main.php HTTP/1.0" 404 303 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/p/m/a/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/phpmanager/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/php-myadmin/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/phpmy-admin/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/phpMyAdmin-/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/phpMyAdmin--rc/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /admin/phpMyAdmin--pl/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /admin/phpMyAdmin--alpha/main.php HTTP/1.0" 404 308 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /admin/phpMyAdmin--beta/main.php HTTP/1.0" 404 307 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /admin/htdocs/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /phpmyadmin2/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /phpmyadmin1/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpadmin/main.php HTTP/1.0" 404 293 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /myadmin/main.php HTTP/1.0" 404 292 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpMyAdmin-2.2.7-pl1/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpMyAdmin-2.5.7-pl1/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.0-pl3/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.0-pl3/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.1-pl3/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin 2.6.4-pl4/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin 2.7.0-beta1/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin 2.7.0-rc1/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin 2.7.0/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin-2.6.4/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin 2.7.0-pl1/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin-2.2.7-pl1/main.php HTTP/1.0" 404 305 "-" "-"

..........

<end log>
Copperhead
scripter
scripter
 
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Postby Void Main » Mon Aug 17, 2009 6:52 pm

Looks like you are not the only one that address has annoyed:

http://www.ipillion.com/?ip=61.160.216.63

It appears to be a Windows machine, probably rooted with a bot looking for vulnerabilities as I originally suspected. Again, I would just block that address.

You could just block 74.95.238.213 too if it's recurring. You'll get a lot of this though. People will constantly scan your system for known vulnerabilities. You just have to keep all the holes closed.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Copperhead » Mon Aug 17, 2009 6:58 pm

That site is funny :D That person might just be trying to break out of the Great Firewall of China.

In Shorewall, do I just write the rule like I had above, but with the IP instead of the FQDN?
Copperhead
scripter
scripter
 
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Next

Return to Fedora/Red Hat

Who is online

Users browsing this forum: No registered users and 1 guest

cron