To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- After the last botnet attack on one of my servers I've been logging all malicious attempts at website vulnerability penetration attempts and some obvious patterns emerged.
#1 - Most of the kiddies don't set the user agent and it's always set to "libwww-perl". #2 - The QUERY_STRING will almost always contain "=http:" that points to the file they are trying to upload into the website. Knowing this you can protect most websites from the most common automated website vulnerability attackers by simply blocking all "libwww-perl" access and any QUERY_STRING that contains "=http:" in the parameter list. Most software that does permit the upload files uses a POST so filtering out "=http:" in the QUERY_STRING should have almost no effect on any sites, except possibly stopping them from being hacked. FWIW, if I were running a shared hosting company I would block these 2 things by default server wide just to help keep it clean. -- Bill Atchison http://www.crawlwall.com _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
