https://mitchellkrog.com
From: Spork Schivago
Reply: users@httpd.apache.org
Date: 07 October 2016 at 8:10:58 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Unknown accepted traffic to my site
Oh! Tawasol, I forgot. If you're not already doing so, you should have your
server s
Oh! Tawasol, I forgot. If you're not already doing so, you should have
your server scanned for vulnerabilities. There's free websites out there
that can do this, like https://scanmyserver.com/
I believe nmap can also help you scan your server, although I don't think
it was really designed for
Tawasol,
You might want to look into more than just mod_security. For example,
there's modules out there for PHP, for instance, that will make PHP run as
a certain user. If someone manages to take advantage of some poorly
written PHP code, for example, they would only have limited user access a
I use CentOS 7.x also CSF/LFD installed.
Till now they did not get into the server.
I'll look into mod_security.
Thanks,
On Fri, Oct 7, 2016 at 1:01 AM, Anthony Biacco wrote:
>
>
> On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago
> wrote:
>
>> Are you sure they haven't successfully found away i
On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago
wrote:
> Are you sure they haven't successfully found away in? There are some
> free programs that I use to help prevent this stuff. ConfigServer
> Firewall / LFD is a good one. Rkhunter and chkrootkit scan for rootkits.
> The big one that he
Tawasol Go,
I don't think your issue is from the Berkeley scanners. This is what one
of the Berkeley people involved with the project said:
I grep'd our logs. The full packet payload we sent, base64 encoded was:
XgVB6qH6vhUKgtS97jgjPuVy3wPvMgn8waDBFSu2EfosbL5ygd33ejOw+
eQ2+igTdpUPwmamsW0nQG4/M
Hits comes from all over the world, without DNS entry found.
Hits come from more than 500 IPs from Jan. 2016.
Other samples: with codes like 400, 408 and 404
0.0.0.0 - - [06/Oct/2016:11:12:08 +0300]
"\x8bL\xb0Ri\x8f\x03\xb5\x1f)wI\x92\xfc\xa8\x97B\xcbH4\xaa#\xc1\x17'\xa6\xec3#\t\xed\xc4}[\x14w\xef
Thanks Tony! Much appreciated.
Erik,
Did I ever try to run what on my server? The string query that Berkeley
sends looking for the malware to respond? If so, no, I have never tried
to send that carefully crafted packet to my Apache server. From the
previous user who had what appears to be
On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago
wrote:
>
> There's away to do a reverse IP lookup on the IP address and see if
> there's a DNS entry for it. That's how I was able to successfully figure
> out who the senders were (Berkeley) originally. I used dig I believe. I
> don't have acc
did you ever try to run that on your own server? what would be the html
response?
E
On 6 October 2016 at 16:47, Spork Schivago wrote:
> I remember this! I contacted the college that was running the scanners
> and got indepth information about what it was and how it worked.
>
> This is the resp
I remember this! I contacted the college that was running the scanners
and got indepth information about what it was and how it worked.
This is the responses I got back from the people running the scan...
Apologies for the long delay. As Stefan said, I've been away on my
honeymoon.
As far as w
On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller wrote:
> From the looks of it I would say it is targeting servers running SSL. Are
> you serving up HTTP or HTTPS ?
I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler diary entry just yesterday
to my site
From the looks of it I would say it is targeting servers running SSL. Are you
serving up HTTP or HTTPS ?
From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go; users@httpd.apache.org
Subject: Re: [users@httpd] Unknown accepted traffic to my
nknown accepted traffic to my site
It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for
months. It started a few months back with the Berkeley University Scanner who
are researching by sending out a string like that and then seeing what response
they get. It’s to check fo
It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for
months. It started a few months back with the Berkeley University Scanner who
are researching by sending out a string like that and then seeing what response
they get. It’s to check for some kind of exploit. Their IP fo
15 matches
Mail list logo
