| Author |
|
MLxS
Joined: 14 May 2007
Posts: 6
|
 Posted: Mon 03 Oct '11 16:56 Post subject: Error Log - Attacks |
 |
|
I apologise if this has been asked elsewhere - but I am actually struggling to search for this.
I have been reviewing the logs and have increasingly noticed two malformed requests. Examples are below (though obviously the actual requests change).
1) 58.218.199.227 - - [03/Oct/2011:12:52:00 +0100] "GET http://microsoft.com/feed/feed.php HTTP/1.1" 404 1179
2) 195.238.85.136 - - [03/Oct/2011:14:38:48 +0100] "CRi\xe4\xaf\xa9\x05\x88\xa9@w" 501 213
(I have altered the host in number 1 in case it was a malicious link)
Questions
A) Since these are all (as far as I can see) returning a 404 or 501 respectively, do I need to worry
B) I understand number 1 is attempting to test for open proxies, but what is number 2 trying to do?? I know it is hex, but I don't understand it.....
C) Is there a way to 'reject' these requests safely rather than have them fill the logs and possibly get through?
Any help appreciated.
Many Thanks! |
|
| Back to top |
|
MichaelG72
Joined: 03 Oct 2011
Posts: 4
Location: Price, Utah
|
| Posted: Tue 04 Oct '11 0:31 Post subject: Need more info. |
|
|
1. How often or separated are the requests coming in?
2. It dose look like a malformed URL scripting attack to me.
3. Have you gotten any DOS's yet do to many of these requests like you described?
With answers to these questions would be able to narrow it down. In any case if the requesting party isn't critical ip for operations then just block that ip or domain in your firewall. |
|
| Back to top |
|
MLxS
Joined: 14 May 2007
Posts: 6
|
| Posted: Tue 04 Oct '11 2:19 Post subject: |
|
|
Michael,
Thanks for getting back to me so promptly.
During 3 October I received 13 of the "GET http://" requests spread fairly evenly through the day. Although the IPs do seem to vary quite a lot they all start 58.218.*.* (Generic IPs from China Telecom).
I received 7 of the hex malformed requests clustered around a couple of hours. Each IP is only seen maybe once or twice.
I know the number makes it fairly insignificant - but only if they are failing. I wonder whether there is any more protection I need to add against the scripting attacks actually working?
Thankfully I haven't noted and DOS's yet - and since I do not host well known websites I will probably evade enough attention.
One of my more publicised websites (For a charity) does get far more blind requests (clearly searching for site vulnerabilites introduced by e.g. phpMyAdmin) and I might get 100 of those in 1 minute (2 per second) from a single IP for a while then it goes quiet again.
I probably need to add some conditional scripting to stop attacks like that, but I would like to know what I need to watch out for to ensure that I'm not actually vulnerable to these.
I can't really blindly block IPs since genuine, nice people may wish to browse information as the websites are generally informative websites!
Many thanks in advance. |
|
| Back to top |
|
MichaelG72
Joined: 03 Oct 2011
Posts: 4
Location: Price, Utah
|
| Posted: Tue 04 Oct '11 2:54 Post subject: Thanks |
|
|
Most notably keep an eye on those requests and there frequency. It's not a bad thing that the server is puting out the 404 or 501 thats fine. BUT CHINA TELCOM IS NOTORIOUS FOR HACKERS ON THERE NETWORKS SO USE CAUTION.
An yes production and information must flow and your idea about a coutner script or even apache rewrite for those specific addresses could be in order.
Thanks |
|
| Back to top |
|
MLxS
Joined: 14 May 2007
Posts: 6
|
| Posted: Tue 04 Oct '11 2:55 Post subject: |
|
|
Many thanks for the feedback.
Regards. |
|
| Back to top |
|
