I'm not familiar with apache logs... but it looks like you are being
scanned with a web vulnerability scanner from an attacker in China. The
youtube string you see, I believe, is the user-agent string supplied by the
scanning host.
Compile all the URL requests and setup a cdb list in OSSEC. Then setup an
active response based on the URL requested to block the offending IP
address. The rule will look something like the following.
<rule id="184780" level="12">
<if_sid>31100</if_sid>
<list field="url">lists/urlblacklist</list>
<description>Web Vulnerability Scanner Detected</description>
</rule>
and active response... assumes firewall-drop command will actually block
the attacker at your perimeter.
<command>firewall-drop</command>
<location>server</location>
<rules_id>184780</rules_id>
<timeout>300</timeout>
<repeated_offenders>2,10,60,120,1440</repeated_offenders>
</active-response>
Now all you need is the list and testing :)
On Monday, October 5, 2015 at 4:25:18 AM UTC-7, theresa mic-snare wrote:
>
> Hi all,
>
> it's my weekly ossec question post ;)
>
> maybe you can help shed some light onto this one, as I'm not really good
> with HTTP/Apache return codes.
> I have tons of these types of requests in my current Apache webserver log
>
> 125.122.211.198 - - [15/Sep/2015:00:50:58 +0200] "GET /admin.cgi
> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() {
> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
> 7`"
> 125.122.211.198 - - [15/Sep/2015:00:50:50 +0200] "GET
> /catalog/index.cgi HTTP/1.0" 403 5
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
> - - [15/Sep/2015:00:50:49 +0200] "GET /cart.cgi HTTP/1.0" 403 5
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
> - - [15/Sep/2015:00:50:49 +0200] "GET /cartcart.cgi HTTP/1.0" 403 5
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
> - - [15/Sep/2015:00:50:48 +0200] "GET /bigconf.cgi HTTP/1.0" 403 5
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
> - - [15/Sep/2015:00:50:47 +0200] "GET /bandwidth/index.cgi HTTP/1.0"
> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
> - - [15/Sep/2015:00:50:47 +0200] "GET /b2-include/b2edit.showposts.php
> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() {
> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
> 7`"
> 125.122.211.198 - - [15/Sep/2015:00:50:46 +0200] "GET
> /axis-cgi/buffer/command.cgi HTTP/1.0" 403 5
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
> - - [15/Sep/2015:00:50:45 +0200] "GET /apps/web/vs_diag.cgi HTTP/1.0"
> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
> - - [15/Sep/2015:00:50:45 +0200] "GET /analyse.cgi HTTP/1.0" 403 2790
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
> - - [15/Sep/2015:00:50:44 +0200] "GET /aktivate/cgi-bin/catgy.cgi
> HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() {
> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
> 7`"
> 125.122.211.198 - - [15/Sep/2015:00:50:43 +0200] "GET /agora.cgi
> HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() {
> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
> 7`"
>
> what are these doing except trying to call a youtube video?
> I was once told that the GET requests are not as harmful as the POST
> requests...
>
> I suppose it's just some script kiddie running a webserver attack script.
> should I worry?
>
> how to block these?
>
> I have a couple of other request types as well, but they all follow the
> same pattern.
>
> best,
> theresa
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
