Block a domain in shorewall or host.deny?

Place to discuss Fedora and/or Red Hat
Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Block a domain in shorewall or host.deny?

Post by Copperhead » Mon Aug 17, 2009 10:11 am

I am trying to block a domain that keeps trying to access my apache server through shorewall, but I keep getting errors on restart. I have the following entry in /etc/hosts.deny, but these clowns still seem to make it into my logfile:

$ grep -v '#' /etc/hosts.deny:

ALL: wantsfly.com
ALL: hinet.net

I added this rule to /etc/shorewall/rules, but when I restart Shorewall it fails and gives me an error in the log for incorrect syntax:

ACTION SOURCE DEST

ALL/DROP net:wantsfly.com $FW
ALL/DROP net:hinet.net $FW

From the CL, I ran this:

$ sudo shorewall reject wantsfly.com

Which returned this:

$ wantsfly.com Rejected

However, it will not work with hinet.net:

$ iptables v1.3.5: host/network `hinet.net' not found

Since shorewall is rejecting wantsfly.com, I was just wondering where it places the rule. And, I would also like to know how to properly write a rule to stop both of these offending domains. (hinet.net is trying to use my mail server as a relay, and having no success, and wantsfly.com seems to want to find files related to phpmyadmin, webmin, and various other web-based sql apps.)

OS is Centos 5.3. Shorewall version is 4.0.15

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Aug 17, 2009 10:33 am

I am pretty sure you can't do what I think you are attempting to do with Shorewall or IP tables unless something new has been added that I am not aware of. You can block IP addresses or subnets using Shorewall but while shorwall/iptables are active and running it does not do name resolution of IP addresses for every connection it handles because it is WAY too costly so there is know way it could know if a reverse lookup of any IP address is in a certain DNS domain.

I don't believe /etc/hosts.deny will have any effect at all on Sendmail or Apache.

If you could describe the problem in a little more detail I might have a suggestion for dealing with it.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Mon Aug 17, 2009 10:44 am

It's really not that big of a deal since there is no real security breach, but I would like to just block both of these domains. He is my logwatch file with the pertinent entries:

wantsfly.com:

Requests with error response codes
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
403 Forbidden
/: 1 Time(s)
404 Not Found
/PMA/main.php: 1 Time(s)
/admin/PMA/main.php: 1 Time(s)
/admin/db/main.php: 1 Time(s)
/admin/htdocs/main.php: 1 Time(s)
/admin/main.php: 2 Time(s)
/admin/myadmin/main.php: 1 Time(s)
/admin/mysql-admin/main.php: 1 Time(s)
/admin/mysql/main.php: 1 Time(s)
/admin/mysqlmanager/main.php: 1 Time(s)
/admin/p/m/a/main.php: 1 Time(s)
/admin/pMA/main.php: 1 Time(s)
/admin/php-my-admin/main.php: 1 Time(s)
/admin/php-myadmin/main.php: 1 Time(s)
/admin/phpMyAdmin--alpha/main.php: 1 Time(s)
/admin/phpMyAdmin--beta/main.php: 1 Time(s)
/admin/phpMyAdmin--pl/main.php: 1 Time(s)
/admin/phpMyAdmin--rc/main.php: 1 Time(s)
/admin/phpMyAdmin-/main.php: 2 Time(s)
/admin/phpMyAdmin/main.php: 1 Time(s)
/admin/phpmanager/main.php: 1 Time(s)
/admin/phpmy-admin/main.php: 1 Time(s)
/admin/phpmyadmin/main.php: 1 Time(s)
/admin/pma/main.php: 1 Time(s)
/admin/sqladmin/main.php: 1 Time(s)
/admin/sqlmanager/main.php: 1 Time(s)
/admin/sqlweb/main.php: 1 Time(s)
/admin/sysadmin/main.php: 1 Time(s)
/admin/web/main.php: 1 Time(s)
/admin/webadmin/main.php: 1 Time(s)
/admin/webdb/main.php: 1 Time(s)
/admin/websql/main.php: 1 Time(s)
/db/main.php: 1 Time(s)
/dbadmin/main.php: 1 Time(s)
/htdocs/main.php: 1 Time(s)
/myadmin/main.php: 2 Time(s)
/mysql-admin/main.php: 1 Time(s)
/mysql/main.php: 1 Time(s)
/mysqladmin/main.php: 1 Time(s)
/mysqlmanager/main.php: 1 Time(s)
/p/m/a/main.php: 1 Time(s)
/php-my-admin/main.php: 1 Time(s)
/php-myadmin/main.php: 1 Time(s)
/phpMyAdmin: 5 Time(s)
/phpMyAdmin--alpha/main.php: 1 Time(s)
/phpMyAdmin--beta/main.php: 1 Time(s)
/phpMyAdmin--pl/main.php: 1 Time(s)
/phpMyAdmin--rc/main.php: 1 Time(s)
/phpMyAdmin-/main.php: 2 Time(s)
/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/phpMyAdmin-2.2.7-pl1/main.php: 2 Time(s)
/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/phpMyAdmin-2.5.7-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.0-pl3/main.php: 2 Time(s)
/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/phpMyAdmin-2.6.1-pl3/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.4/main.php: 1 Time(s)
/phpMyAdmin/main.php: 1 Time(s)
/phpadmin/main.php: 1 Time(s)
/phpmanager/main.php: 1 Time(s)
/phpmy-admin/main.php: 1 Time(s)
/phpmyadmin/main.php: 1 Time(s)
/phpmyadmin1/main.php: 1 Time(s)
/phpmyadmin2/main.php: 1 Time(s)
/pma/main.php: 1 Time(s)
/robots.txt: 1 Time(s)
/sqlmanager/main.php: 1 Time(s)
/sqlweb/main.php: 1 Time(s)
/typo3/phpmyadmin/main.php: 1 Time(s)
/web/main.php: 1 Time(s)
/web/phpMyAdmin/main.php: 1 Time(s)
/webadmin/main.php: 1 Time(s)
/webdb/main.php: 1 Time(s)
/websql/main.php: 1 Time(s)
/xampp/phpmyadmin/main.php: 1 Time(s)
http://www.wantsfly.com/prx.php?hash=CEC7D ... AFEDE8BC06A138E: 1 Time(s)


And here is the entry from hinet.net:

NOQUEUE: reject: RCPT from 123-205-234-254.adsl.dynamic.seed.net.tw[123.205.234.254]: 554 5.7.1 <sseenndd0622@yahoo.com.hk>: Relay access denied; from=<bh6j.8k4f9@msa.hinet.net> to=<sseenndd0622@yahoo.com.hk> proto=SMTP helo=<24.43.128.82>

I looked up both of these on google. wantsly.com is somewhere in China, as is hinet.net. I was just wondering if there was a way to block both of these domains from even receiving a response from my firewall/server.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Aug 17, 2009 11:07 am

Like I said, you can't block an IP address just because it happens to resolve as part of a particular DNS domain in real time because the firewall would have to resolve that IP address to a name and then match it up to a domain rule. I don't know of any firewall that will do that actually.

What you can do is look through your logs and find every host that tries to connect that resides in one of those domains and add that IP address to the block list in your firewall. If it is a small number of addresses, just add them to your block list.

You could also do something like I did when code red virus was hitting hard. I wrote a block script that would be called like "block <ipaddr>". When I detected a code red hit I just called that script and blocked that address so it wouldn't be able to keep pounding my server. Something a little more drastic is you could block the entire Chinese netblock ranges. You can't do it by DNS domain at your firewall though.

Having said that you "could" deny based on domain in your Apache configuration. In fact, I would suggest that you at least tighten up your administrative sections (phpMyAdmin, etc) to only allow specific IP addresses or network ranges (or domain) that you need to access it from.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Mon Aug 17, 2009 11:21 am

Thanks. I will give those a look.

I don't have phpmyadmin, or anything like that installed, so no harm no foul, I guess. This has been going on for the past two weeks from the same range of addresses, so I am guessing it is some script kiddies trying to have some fun.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Aug 17, 2009 11:23 am

Could you list the addresses/range of addresses and we could come up with a good firewall rule to block them? That looks typical of bot client looking for specific open security holes.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Mon Aug 17, 2009 4:23 pm

That is exactly what it is. I found some odd entries in my log files and Googled them only to find this:

http://johannburkard.de/blog/www/spam/m ... nners.html

Sorry about the language, but it was in my log file. That page has a bunch of other scanners that i see in my logs.

I am compiling a list of all the offending IPs. We'll see if we can come up with a rule. They seem to be coming from everywhere so it might be hard to pinpoint a range.

Here is a list of the offending IPs:

63.246.145.10
61.160.216.63
65.55.211.62
38.105.83.12
92.46.175.181
208.64.68.36
216.145.11.94
212.117.177.170
74.95.238.213
91.199.207.60
83.140.28.14

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Aug 17, 2009 4:55 pm

None of those addresses have reverse DNS entries in the domains you listed. One of them is an MSN search bot. If you don't want the bots indexing your site then you should set up a robots.txt file. I wouldn't be so quick to block all those addresses.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Mon Aug 17, 2009 6:15 pm

After some grepping, this one is coming from wantsfly.com:

61.160.216.63

and these seem to be running the malicious bot:

60.13.126.151 -- China
61.160.216.63 -- China
88.80.7.248 -- Sweden
91.199.207.60 -- Czech Republic

whois returned this on 74.95.238.213

[Querying whois.arin.net]
[whois.arin.net]
Comcast Business Communications, Inc. CBC-CM-4 (NET-74-92-0-0-1)
74.92.0.0 - 74.95.255.255
Comcast Business Communications, Inc. HOUSTON-CBC-2 (NET-74-95-224-0-1)
74.95.224.0 - 74.95.255.255

# ARIN WHOIS database, last updated 2009-08-16 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Aug 17, 2009 6:20 pm

That address is from China but what makes you think it's associated with wantsfly.com? It doesn't have a reverse DNS entry:

Code: Select all

$ host 61.160.216.63
Host 63.216.160.61.in-addr.arpa. not found: 3(NXDOMAIN)

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Mon Aug 17, 2009 6:25 pm

Maybe I am reading the log entry wrong then:

access.log:

61.160.216.63 - - [11/Aug/2009:12:04:51 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

That line is in there quite a few times

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Aug 17, 2009 6:37 pm

That is very interesting. 61.160.216.63 is the client that is connected to your web server. That client requested this file from you:

Code: Select all

http://www.wantsfly.com/prx.php?hash=CEC7D7F3C316BE4A182B80520050AAFEDE8BC06A138E
The client IP is not associated with wantsfly at all but it appears it tried to use your server as a proxy. I would be curious to see more log entries from this address. If you could grep out anything from 61.160.216.63 I would like to see a block of entries from the same time period.

Your server sent it a 404 error message which means they were not successful in the proxy request. I would just block that client address (61.160.216.63).
Last edited by Void Main on Mon Aug 17, 2009 6:48 pm, edited 2 times in total.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Mon Aug 17, 2009 6:46 pm

This has been going on for the past week. Here are the enteries from 61.160.216.63


access_log:61.160.216.63 - - [16/Aug/2009:12:24:18 -0700] "GET http:/??hash=CEC7D7F3C316BE4A182B80520050AAFEDE8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.1:61.160.216.63 - - [09/Aug/2009:16:10:31 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.1:61.160.216.63 - - [11/Aug/2009:12:04:51 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.1:61.160.216.63 - - [13/Aug/2009:12:38:38 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.1:61.160.216.63 - - [14/Aug/2009:10:37:42 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
access_log.2:61.160.216.63 - - [08/Aug/2009:10:21:45 -0700] "GET http://www.wantsfly.com/prx.php?hash=CE ... 8BC06A138E HTTP/1.0" 404 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

<end log>


And it seems our friend here State-side (74.95.238.213) is running the bot:


access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:58 -0700] "GET /phpmyadmin/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:58 -0700] "GET /phpMyAdmin/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:58 -0700] "GET /db/main.php HTTP/1.0" 404 287 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:58 -0700] "GET /web/main.php HTTP/1.0" 404 288 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /htdocs/main.php HTTP/1.0" 404 291 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /PMA/main.php HTTP/1.0" 404 288 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /admin/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /dbadmin/main.php HTTP/1.0" 404 292 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /pma/main.php HTTP/1.0" 404 288 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:14:59 -0700] "GET /sqlmanager/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /mysqlmanager/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /p/m/a/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /phpmanager/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /php-myadmin/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /phpmy-admin/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:00 -0700] "GET /mysql/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /myadmin/main.php HTTP/1.0" 404 292 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /webadmin/main.php HTTP/1.0" 404 293 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /sqlweb/main.php HTTP/1.0" 404 291 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /websql/main.php HTTP/1.0" 404 291 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /webdb/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:01 -0700] "GET /xampp/phpmyadmin/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /typo3/phpmyadmin/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /mysqladmin/main.php HTTP/1.0" 404 295 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /mysql-admin/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /phpMyAdmin-/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /php-my-admin/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:02 -0700] "GET /phpMyAdmin-/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /phpMyAdmin--rc/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /phpMyAdmin--pl/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /phpMyAdmin--alpha/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /phpMyAdmin--beta/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /admin/phpMyAdmin/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:03 -0700] "GET /admin/sysadmin/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/sqladmin/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/db/main.php HTTP/1.0" 404 293 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/web/main.php HTTP/1.0" 404 294 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/pMA/main.php HTTP/1.0" 404 294 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:04 -0700] "GET /admin/main.php HTTP/1.0" 404 290 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/mysql/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/myadmin/main.php HTTP/1.0" 404 298 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/webadmin/main.php HTTP/1.0" 404 299 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/sqlweb/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/websql/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:05 -0700] "GET /admin/webdb/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/mysql-admin/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/phpMyAdmin-/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/php-my-admin/main.php HTTP/1.0" 404 303 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/PMA/main.php HTTP/1.0" 404 294 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/pma/main.php HTTP/1.0" 404 294 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:06 -0700] "GET /admin/sqlmanager/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/mysqlmanager/main.php HTTP/1.0" 404 303 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/p/m/a/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/phpmanager/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/php-myadmin/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/phpmy-admin/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/phpMyAdmin-/main.php HTTP/1.0" 404 302 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:07 -0700] "GET /admin/phpMyAdmin--rc/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /admin/phpMyAdmin--pl/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /admin/phpMyAdmin--alpha/main.php HTTP/1.0" 404 308 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /admin/phpMyAdmin--beta/main.php HTTP/1.0" 404 307 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /admin/htdocs/main.php HTTP/1.0" 404 297 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /phpmyadmin2/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:08 -0700] "GET /phpmyadmin1/main.php HTTP/1.0" 404 296 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpadmin/main.php HTTP/1.0" 404 293 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /myadmin/main.php HTTP/1.0" 404 292 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpMyAdmin-2.2.7-pl1/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:09 -0700] "GET /phpMyAdmin-2.5.7-pl1/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.0-pl3/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.0-pl3/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.1-pl3/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 305 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin 2.6.4-pl4/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:10 -0700] "GET /phpMyAdmin 2.7.0-beta1/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin 2.7.0-rc1/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin 2.7.0/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin-2.6.4/main.php HTTP/1.0" 404 301 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin 2.7.0-pl1/main.php HTTP/1.0" 404 286 "-" "-"
access_log.1:74.95.238.213 - - [16/Aug/2009:02:15:11 -0700] "GET /phpMyAdmin-2.2.7-pl1/main.php HTTP/1.0" 404 305 "-" "-"

..........

<end log>

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Aug 17, 2009 6:52 pm

Looks like you are not the only one that address has annoyed:

http://www.ipillion.com/?ip=61.160.216.63

It appears to be a Windows machine, probably rooted with a bot looking for vulnerabilities as I originally suspected. Again, I would just block that address.

You could just block 74.95.238.213 too if it's recurring. You'll get a lot of this though. People will constantly scan your system for known vulnerabilities. You just have to keep all the holes closed.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Mon Aug 17, 2009 6:58 pm

That site is funny :D That person might just be trying to break out of the Great Firewall of China.

In Shorewall, do I just write the rule like I had above, but with the IP instead of the FQDN?

Post Reply