[SLL] OT - probes against my webserver
Mike Schuh
schuh at farmdale.com
Thu Jul 31 21:22:43 PDT 2008
Hi all,
This is (perhaps) off topic for a Linux group, but it involves security and
web servers.
Occasionally I see Apache log entries like this:
60.172.219.2 - - [31/Jul/2008:20:35:00 -0700] "GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1" 404 296
I'm not hosting any Austrian science fiction web pages... (the host part of
the URL does resolve to an address assigned to an Austrian organization)
I know that the URL portion of the HTTP request was faked (previous ones
were to yahoo.com, etc.) and I presume that the attacker is simply trying
one IP address after another looking for a hole. They don't know - and
don't care - what URL(s) would normally get them there.
My question: What exploit are they looking for, and how can I make sure
that it won't work on my site?
For the moment, I've blocked 60.0.0.0/8 as I don't expect to have any
legitimate users from there. Not sinophobia, just the realization that
there are a lot of compromised computers in China and few customers of the
web sites I host.
Thanks.
--
Mike Schuh - Seattle, Washington USA
http://www.farmdale.com
More information about the linux-list
mailing list