Greg McCarroll wrote: > * robin szemeti ([EMAIL PROTECTED]) wrote: > >>if your scans and probes look like ... >> >>[4] PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe >> > > <snip> > >>etc etc etc ad nauseum >> >> > > nope, the sequence of events went something like this > > portscan on 145 > 20+ minutes later, portscan of 146 > 1hr+ minutes later, apache was showing attempts such as this ....
You could set up some sort of IPTables/chains rule to block the IP (or some other action) of any host that portscans these ports. Of course he might be spoofing. > host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:32 > +0000] "GET > /cgi-bin/webspirs.cgi?sp.nextform=../../../../../../etc/passwd > HTTP/1.0" 404 275 "-" "-" > host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33 > +0000] "HEAD /cgi-bin/DCShop/Orders/orders.txt HTTP/1.0" 404 0 "-" "-" > host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33 > +0000] "HEAD /cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd > HTTP/1.0" 404 0 "-" "-" > host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33 > +0000] "HEAD /cgi-bin/a1stats/ HTTP/1.0" 404 0 "-" "-" If they are repeating the same scans then you could set up a tar pit! http://slashdot.org/article.pl?sid=01/09/20/1241249&mode=thread well, maybe. Of course you could use Apache redirect directives if they are requesting the same paths. We had to do this on a bunch of our UNIX webservers, redirecting the requests to a 0 byte text file. I do think BT abuse should get off their lazy behinds and do something about it though. Hmmm. -- *claw claw* *fang* *shred* *rip* *ad hominem* *slash* (more attacks will require consultancy fees.) -Nix.
