Oh! Tawasol, I forgot. If you're not already doing so, you should have
your server scanned for vulnerabilities. There's free websites out there
that can do this, like https://scanmyserver.com/
I believe nmap can also help you scan your server, although I don't think
it was really designed for
Tawasol,
You might want to look into more than just mod_security. For example,
there's modules out there for PHP, for instance, that will make PHP run as
a certain user. If someone manages to take advantage of some poorly
written PHP code, for example, they would only have limited user access a
I use CentOS 7.x also CSF/LFD installed.
Till now they did not get into the server.
I'll look into mod_security.
Thanks,
On Fri, Oct 7, 2016 at 1:01 AM, Anthony Biacco wrote:
>
>
> On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago
> wrote:
>
>> Are you sure they haven't successfully found away i
On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago
wrote:
> Are you sure they haven't successfully found away in? There are some
> free programs that I use to help prevent this stuff. ConfigServer
> Firewall / LFD is a good one. Rkhunter and chkrootkit scan for rootkits.
> The big one that he
Tawasol Go,
I don't think your issue is from the Berkeley scanners. This is what one
of the Berkeley people involved with the project said:
I grep'd our logs. The full packet payload we sent, base64 encoded was:
XgVB6qH6vhUKgtS97jgjPuVy3wPvMgn8waDBFSu2EfosbL5ygd33ejOw+
eQ2+igTdpUPwmamsW0nQG4/M
Hits comes from all over the world, without DNS entry found.
Hits come from more than 500 IPs from Jan. 2016.
Other samples: with codes like 400, 408 and 404
0.0.0.0 - - [06/Oct/2016:11:12:08 +0300]
"\x8bL\xb0Ri\x8f\x03\xb5\x1f)wI\x92\xfc\xa8\x97B\xcbH4\xaa#\xc1\x17'\xa6\xec3#\t\xed\xc4}[\x14w\xef
Thanks Tony! Much appreciated.
Erik,
Did I ever try to run what on my server? The string query that Berkeley
sends looking for the malware to respond? If so, no, I have never tried
to send that carefully crafted packet to my Apache server. From the
previous user who had what appears to be
On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago
wrote:
>
> There's away to do a reverse IP lookup on the IP address and see if
> there's a DNS entry for it. That's how I was able to successfully figure
> out who the senders were (Berkeley) originally. I used dig I believe. I
> don't have acc
did you ever try to run that on your own server? what would be the html
response?
E
On 6 October 2016 at 16:47, Spork Schivago wrote:
> I remember this! I contacted the college that was running the scanners
> and got indepth information about what it was and how it worked.
>
> This is the resp
I remember this! I contacted the college that was running the scanners
and got indepth information about what it was and how it worked.
This is the responses I got back from the people running the scan...
Apologies for the long delay. As Stefan said, I've been away on my
honeymoon.
As far as w
On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller wrote:
> From the looks of it I would say it is targeting servers running SSL. Are
> you serving up HTTP or HTTPS ?
I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler diary entry just yesterday
That could well be the case. I have two trap web sites set up which monitor
this stuff and both the http and https get hit daily, in fact the non https
site gets hit much more frequently. Still interested to know if anyone has any
more in depth information on exactly what this type of exploit is
12 matches
Mail list logo
