Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Prevent and block scan? (w00tw00t, tmUnblock.cgi etc)
#1

Hi, I have often these lines in /var/log/apache2/access.log:

 

185.27.36.67 - - [25/Sep/2014:12:25:46 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 393 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

 

58.241.61.162 - - [25/Sep/2014:12:30:57 +0200] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 431 "-" "ZmEu"

 

58.241.61.162 - - [25/Sep/2014:12:30:58 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 421 "-" "ZmEu"

 

58.241.61.162 - - [25/Sep/2014:12:30:59 +0200] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 401 580 "-" "ZmEu"

 

58.241.61.162 - - [25/Sep/2014:12:31:00 +0200] "GET /pma/scripts/setup.php HTTP/1.1" 404 415 "-" "ZmEu"

 

58.241.61.162 - - [25/Sep/2014:12:31:00 +0200] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 419 "-" "ZmEu"

 

58.241.61.162 - - [25/Sep/2014:12:31:05 +0200] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 419 "-" "ZmEu"

 

211.24.56.24 - - [25/Sep/2014:14:53:55 +0200] "GET /tmUnblock.cgi HTTP/1.1" 400 431 "-" "-"

 

89.207.135.125 - - [25/Sep/2014:15:23:54 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 427 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

 

What is the best way to prevent this and block the scans?

 

Thank you very much in advance

Reply
#2
I know this is an old post but you could use iptables to block the ip but since scans like this usually come from random ip's you could use <a data-ipb="nomediaparse" href="http://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter">fail2ban</a>
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)