https://mitchellkrog.com
From: Spork Schivago <sporkschiv...@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 07 October 2016 at 8:10:58 AM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject: Re: [users@httpd] Unknown accepted traffic to my site
Oh! Tawasol, I forgot. If you're not already doing so, you should have
your server scanned for vulnerabilities. There's free websites out there
that can do this, like https://scanmyserver.com/
I believe nmap can also help you scan your server, although I don't think
it was really designed
Tawasol,
You might want to look into more than just mod_security. For example,
there's modules out there for PHP, for instance, that will make PHP run as
a certain user. If someone manages to take advantage of some poorly
written PHP code, for example, they would only have limited user access
I use CentOS 7.x also CSF/LFD installed.
Till now they did not get into the server.
I'll look into mod_security.
Thanks,
On Fri, Oct 7, 2016 at 1:01 AM, Anthony Biacco wrote:
>
>
> On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago
> wrote:
>
>> Are
On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago
wrote:
> Are you sure they haven't successfully found away in? There are some
> free programs that I use to help prevent this stuff. ConfigServer
> Firewall / LFD is a good one. Rkhunter and chkrootkit scan for
Tawasol Go,
I don't think your issue is from the Berkeley scanners. This is what one
of the Berkeley people involved with the project said:
I grep'd our logs. The full packet payload we sent, base64 encoded was:
XgVB6qH6vhUKgtS97jgjPuVy3wPvMgn8waDBFSu2EfosbL5ygd33ejOw+
Hits comes from all over the world, without DNS entry found.
Hits come from more than 500 IPs from Jan. 2016.
Other samples: with codes like 400, 408 and 404
0.0.0.0 - - [06/Oct/2016:11:12:08 +0300]
On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago
wrote:
>
> There's away to do a reverse IP lookup on the IP address and see if
> there's a DNS entry for it. That's how I was able to successfully figure
> out who the senders were (Berkeley) originally. I used dig I
did you ever try to run that on your own server? what would be the html
response?
E
On 6 October 2016 at 16:47, Spork Schivago wrote:
> I remember this! I contacted the college that was running the scanners
> and got indepth information about what it was and how it
I remember this! I contacted the college that was running the scanners
and got indepth information about what it was and how it worked.
This is the responses I got back from the people running the scan...
Apologies for the long delay. As Stefan said, I've been away on my
honeymoon.
As far as
On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller wrote:
> From the looks of it I would say it is targeting servers running SSL. Are
> you serving up HTTP or HTTPS ?
I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler
ttpd.apache.org>, tawaso...@gmail.com
<tawaso...@gmail.com>
Subject: RE: [users@httpd] Unknown accepted traffic to my site
From the looks of it I would say it is targeting servers running SSL. Are you
serving up HTTP or HTTPS ?
From: Mitchell Krog Photography
Sent: Wednesday, Oct
>From the looks of it I would say it is targeting servers running SSL. Are you
>serving up HTTP or HTTPS ?
From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go; users@httpd.apache.org
Subject: Re: [users@httpd] U
It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for
months. It started a few months back with the Berkeley University Scanner who
are researching by sending out a string like that and then seeing what response
they get. It’s to check for some kind of exploit. Their IP
14 matches
Mail list logo