https://mitchellkrog.com
From: Spork Schivago
Reply: users@httpd.apache.org
Date: 07 October 2016 at 8:10:58 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Unknown accepted traffic to my site
Oh! Tawasol, I forgot. If you're not already doing so, you should have your
server s
Oh! Tawasol, I forgot. If you're not already doing so, you should have
your server scanned for vulnerabilities. There's free websites out there
that can do this, like https://scanmyserver.com/
I believe nmap can also help you scan your server, although I don't think
it was really designed for
Tawasol,
You might want to look into more than just mod_security. For example,
there's modules out there for PHP, for instance, that will make PHP run as
a certain user. If someone manages to take advantage of some poorly
written PHP code, for example, they would only have limited user access a
I use CentOS 7.x also CSF/LFD installed.
Till now they did not get into the server.
I'll look into mod_security.
Thanks,
On Fri, Oct 7, 2016 at 1:01 AM, Anthony Biacco wrote:
>
>
> On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago
> wrote:
>
>> Are you sure they haven't successfully found away i
On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago
wrote:
> Are you sure they haven't successfully found away in? There are some
> free programs that I use to help prevent this stuff. ConfigServer
> Firewall / LFD is a good one. Rkhunter and chkrootkit scan for rootkits.
> The big one that he
Tawasol Go,
I don't think your issue is from the Berkeley scanners. This is what one
of the Berkeley people involved with the project said:
I grep'd our logs. The full packet payload we sent, base64 encoded was:
XgVB6qH6vhUKgtS97jgjPuVy3wPvMgn8waDBFSu2EfosbL5ygd33ejOw+
eQ2+igTdpUPwmamsW0nQG4/M
Hits comes from all over the world, without DNS entry found.
Hits come from more than 500 IPs from Jan. 2016.
Other samples: with codes like 400, 408 and 404
0.0.0.0 - - [06/Oct/2016:11:12:08 +0300]
"\x8bL\xb0Ri\x8f\x03\xb5\x1f)wI\x92\xfc\xa8\x97B\xcbH4\xaa#\xc1\x17'\xa6\xec3#\t\xed\xc4}[\x14w\xef
Thanks Tony! Much appreciated.
Erik,
Did I ever try to run what on my server? The string query that Berkeley
sends looking for the malware to respond? If so, no, I have never tried
to send that carefully crafted packet to my Apache server. From the
previous user who had what appears to be
On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago
wrote:
>
> There's away to do a reverse IP lookup on the IP address and see if
> there's a DNS entry for it. That's how I was able to successfully figure
> out who the senders were (Berkeley) originally. I used dig I believe. I
> don't have acc
did you ever try to run that on your own server? what would be the html
response?
E
On 6 October 2016 at 16:47, Spork Schivago wrote:
> I remember this! I contacted the college that was running the scanners
> and got indepth information about what it was and how it worked.
>
> This is the resp
I remember this! I contacted the college that was running the scanners
and got indepth information about what it was and how it worked.
This is the responses I got back from the people running the scan...
Apologies for the long delay. As Stefan said, I've been away on my
honeymoon.
As far as w
On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller wrote:
> From the looks of it I would say it is targeting servers running SSL. Are
> you serving up HTTP or HTTPS ?
I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler diary entry just yesterday
to my site
From the looks of it I would say it is targeting servers running SSL. Are you
serving up HTTP or HTTPS ?
From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go; users@httpd.apache.org
Subject: Re: [users@httpd] Unknown accepted traffic to my
org
<mailto:users@httpd.apache.org>
Subject: [users@httpd] Unknown accepted traffic to my site
Hello Guys,
Need to Understand this kind of traffic where I noticed many of them hitting my
site.
IP
0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
"n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L"
Reply: users@httpd.apache.org
Date: 05 October 2016 at 12:01:58 PM
To: users@httpd.apache.org
Subject: [users@httpd] Unknown accepted traffic to my site
Hello Guys,
Need to Understand this kind of traffic where I noticed many of them hitting my
site.
IP
0.0.0.0 - - [02/Oct/2016:11:29:08
Hello Guys,
Need to Understand this kind of traffic where I noticed many of them
hitting my site.
IP
0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
"n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
"\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\
16 matches
Mail list logo
