logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache Security Answer
Author
BIODIGITZMAN



Joined: 11 Feb 2008
Posts: 5
Location: Spain

PostPosted: Mon 11 Feb '08 3:41    Post subject: Apache Security Answer Reply with quote

Hola!

i have a one Problem in:

Apache 2.2.8
php5.2.5
MySql 6

Server localhost in Windows Vista Ultimate sp1

i Have one Abusive conecttion IP SYN_RCVD

Via apache :





    i Have :

    1. Apache ModSecurity 2.1.4
    2. .htacces banned this ip 78.136.122.61
    3. .htacces banned this ip 78.136.122.
    4. .htacces banned this ip 78.136.
    5. .htacces banned this rang 78. Full Banned
    6. acces.conf banned this IP
    7. http.conf banned this ip


Banned from all conf possibles and. nothing


this conecttion external is constantly

Pd: This IP no have Reverse


¿What i can do for banned this *** IP ?

Thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 12 Feb '08 17:52    Post subject: Reply with quote

Hi!
If you are using a router to connect to the internet, you maybe can block that IP there. But that is only a moving from the problem to the router.
From Apache side you can't do more than banning the ip with deny.
Back to top
BIODIGITZMAN



Joined: 11 Feb 2008
Posts: 5
Location: Spain

PostPosted: Tue 12 Feb '08 21:02    Post subject: Reply with quote

Currently, the attack has ceased.

The problem is that I can not access the web config of my router

My router is closed by my ISP

Moment of the attack has stopped. Will be continued if

Thanks to respond if something happens again it comment
Back to top
BIODIGITZMAN



Joined: 11 Feb 2008
Posts: 5
Location: Spain

PostPosted: Fri 15 Feb '08 4:39    Post subject: Reply with quote

in .htacces :

Code:
## SITE REFERRER BANNING
RewriteEngine on
# Options +FollowSymlinks

RewriteCond %{HTTP_REFERER} 78\.136\.122\.61 [NC]
RewriteRule .* - [F]



Generator :
http://tools.dynamicdrive.com/userban/



Mod Rewrite On


This is Very Killer but found ...


Another Qüestion is...


Why this:


Code:
212.59.200.171 - - [15/Feb/2008:00:00:03 +0100] "GET /Updates/Ping.asp HTTP/1.1" 200 -



¿Why Ping.asp ???


in apache
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 15 Feb '08 10:48    Post subject: Reply with quote

BIODIGITZMAN wrote:

Why this:


Code:
212.59.200.171 - - [15/Feb/2008:00:00:03 +0100] "GET /Updates/Ping.asp HTTP/1.1" 200 -



It seems there is a Ping.asp in a folder Uploads. The 200 means Ok File file is there. - Zerobytes transfered.
The name Uploads let me think someone else can upload files there?
Back to top
BIODIGITZMAN



Joined: 11 Feb 2008
Posts: 5
Location: Spain

PostPosted: Fri 15 Feb '08 11:15    Post subject: Reply with quote

I never usu nothing in that folder. Even exist ..

Put there because the error log apache. Marked these connections> ping.asp

That's why I .. But if I look Remove this folder:


[Fri Feb 15 10:10:41 2008] [error] [client 201.246.44.254] File does not exist: Rootfolder/htdocs/Updates
[Fri Feb 15 10:10:51 2008] [error] [client 79.147.153.176] File does not exist: Rootfolder/htdocs/Updates



I never have configured nothing whit this folder updates


Only got there because. Apache error log always full of that error



Now this cleared. But all connections want to ping.asp on my server ...

That is what I do not understand .. Because a ping.asp? On my server?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 15 Feb '08 18:04    Post subject: Reply with quote

Seeing that this is coming from more than one IP, I'd say it is a bot attack of a known vulnerability in ping.asp. Many of these bots that attack webservers do not look to see if you are running IIS or Apache or anything else, they just sweep a bunch of IP addresses.

Looking up ping.asp, it is vulnerable to DDOSing it's own server.

I get tons of attacks on stuff that does not exist. Those of us that have been around long enough remember the pollution in our logs Code Red and Code Red II left. We were using Apache so we were safe. Those using unpatched IIS were not.

For years I have never had PHP, there wasn't anything PHP that I could not find an equivalent for in Perl. Yet I still got tons of hits looking for PHP apps like Webblog and others that had known vulnerabilities.


It's just part of the game.
Back to top


Reply to topic   Topic: Apache Security Answer View previous topic :: View next topic
Post new topic   Forum Index -> Apache