Re: [users@httpd] Unknown accepted traffic to my site

2016-10-08 Thread Mitchell Krog Photography
https://mitchellkrog.com From: Spork Schivago <sporkschiv...@gmail.com> Reply: users@httpd.apache.org <users@httpd.apache.org> Date: 07 October 2016 at 8:10:58 AM To: users@httpd.apache.org <users@httpd.apache.org> Subject:  Re: [users@httpd] Unknown accepted traffic to my site

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-07 Thread Spork Schivago
Oh! Tawasol, I forgot. If you're not already doing so, you should have your server scanned for vulnerabilities. There's free websites out there that can do this, like https://scanmyserver.com/ I believe nmap can also help you scan your server, although I don't think it was really designed

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Spork Schivago
Tawasol, You might want to look into more than just mod_security. For example, there's modules out there for PHP, for instance, that will make PHP run as a certain user. If someone manages to take advantage of some poorly written PHP code, for example, they would only have limited user access

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Tawasol Go
I use CentOS 7.x also CSF/LFD installed. Till now they did not get into the server. I'll look into mod_security. Thanks, On Fri, Oct 7, 2016 at 1:01 AM, Anthony Biacco wrote: > > > On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago > wrote: > >> Are

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Anthony Biacco
On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago wrote: > Are you sure they haven't successfully found away in? There are some > free programs that I use to help prevent this stuff. ConfigServer > Firewall / LFD is a good one. Rkhunter and chkrootkit scan for

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Spork Schivago
Tawasol Go, I don't think your issue is from the Berkeley scanners. This is what one of the Berkeley people involved with the project said: I grep'd our logs. The full packet payload we sent, base64 encoded was: XgVB6qH6vhUKgtS97jgjPuVy3wPvMgn8waDBFSu2EfosbL5ygd33ejOw+

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Tawasol Go
Hits comes from all over the world, without DNS entry found. Hits come from more than 500 IPs from Jan. 2016. Other samples: with codes like 400, 408 and 404 0.0.0.0 - - [06/Oct/2016:11:12:08 +0300]

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Anthony Biacco
On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago wrote: > > There's away to do a reverse IP lookup on the IP address and see if > there's a DNS entry for it. That's how I was able to successfully figure > out who the senders were (Berkeley) originally. I used dig I

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Erik Dobák
did you ever try to run that on your own server? what would be the html response? E On 6 October 2016 at 16:47, Spork Schivago wrote: > I remember this! I contacted the college that was running the scanners > and got indepth information about what it was and how it

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Spork Schivago
I remember this! I contacted the college that was running the scanners and got indepth information about what it was and how it worked. This is the responses I got back from the people running the scan... Apologies for the long delay. As Stefan said, I've been away on my honeymoon. As far as

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Rainer Canavan
On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller wrote: > From the looks of it I would say it is targeting servers running SSL. Are > you serving up HTTP or HTTPS ? I don't think that that is valid SSL, unless your httpd discards the first few bytes. There was a SANS handler

RE: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Mitchell Krog Photography
ttpd.apache.org>, tawaso...@gmail.com <tawaso...@gmail.com> Subject:  RE: [users@httpd] Unknown accepted traffic to my site From the looks of it I would say it is targeting servers running SSL.  Are you serving up HTTP or HTTPS ?   From: Mitchell Krog Photography Sent: Wednesday, Oct

RE: [users@httpd] Unknown accepted traffic to my site

2016-10-05 Thread Joe Muller
>From the looks of it I would say it is targeting servers running SSL. Are you >serving up HTTP or HTTPS ? From: Mitchell Krog Photography Sent: Wednesday, October 05, 2016 8:18:38 AM To: Tawasol Go; users@httpd.apache.org Subject: Re: [users@httpd] U

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-05 Thread Mitchell Krog Photography
It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for months. It started a few months back with the Berkeley University Scanner who are researching by sending out a string like that and then seeing what response they get. It’s to check for some kind of exploit. Their IP