Mobile app version of vmapp.org
Login or Join
Gonzalez347

: Abuse on server, thousands of hits on /error/list/socks5.php For several monts now, I've been noticing several IPs at random time hitting our server without providing any virtual host. The hits

@Gonzalez347

Posted in: #Apache #Post #Random

For several monts now, I've been noticing several IPs at random time hitting our server without providing any virtual host.

The hits are all 404 errors and repeat every second for a period of time.

Here are the latest hits showing in logs:

x.x.x.x - - [30/Sep/2014:09:02:53 -0400] "POST /error/list/socks5.php HTTP/1.1" 404 286 "-" "-"
x.x.x.x - - [30/Sep/2014:09:02:54 -0400] "POST /error/list/socks5.php HTTP/1.1" 404 286 "-" "-"
x.x.x.x - - [30/Sep/2014:09:02:54 -0400] "POST /error/list/socks5.php HTTP/1.1" 404 286 "-" "-"
x.x.x.x - - [30/Sep/2014:09:02:54 -0400] "POST /error/list/socks5.php HTTP/1.1" 404 286 "-" "-"
x.x.x.x - - [30/Sep/2014:09:02:55 -0400] "POST /error/list/socks5.php HTTP/1.1" 404 286 "-" "-"
x.x.x.x - - [30/Sep/2014:09:02:55 -0400] "POST /error/list/socks5.php HTTP/1.1" 404 286 "-" "-"
x.x.x.x - - [30/Sep/2014:09:02:56 -0400] "POST /error/list/socks5.php HTTP/1.1" 404 286 "-" "-"
x.x.x.x - - [30/Sep/2014:09:02:56 -0400] "POST /error/list/socks5.php HTTP/1.1" 404 286 "-" "-"


What would cause this? How should I deal with the issue?

Thank you for your answers,

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Gonzalez347

1 Comments

Sorted by latest first Latest Oldest Best

 

@Alves908

Simply put, these are hackers trying to exploit a specific PHP application install which you do not have. Which application? I would have to research this and it would take too much time to figure it out. But does it really matter which application? No. This is quite common and you should keep an eye on your access logs to controls these behaviors. You will see a lot of this activity along with content scrapers, data miners, and so on.

You can block them from existence one of a few ways.

The most obvious ways is to block them using a firewall if you have one.

You can use one of several applications such as ModSecurity, SELinux, AppArmor, and others found on these links:

www.modsecurity.org/ selinuxproject.org/page/Main_Page http://wiki.apparmor.net/index.php/Main_Page


I have only checked out ModSecurity which is integrated/tightly tied to your web server. AppArmor and SELinux are Linux system protection applications where ModSecurity protects the web server. AppArmor and SELinux both come recommended to me and seem to be popular though I have yet to check them out. These seem to be popular recommendations on forums. ModSecurity is well respected and something to look at. There are other options that would require research.

You can also use .htaccess in Apache to block access with something like this:

RewriteCond %{REMOTE_HOST} ^example.com$ [NC]
RewriteRule .* - [F,L]


--or--

RewriteCond %{REMOTE_ADDR} ^10.100.101.102$ [NC]
RewriteRule .* - [F,L]


Of course, if you need to block several domain names and IP addresses, you would just need to add a new RewriteCond and you can of course combine domain and IP blocking if you want.

RewriteCond %{REMOTE_HOST} ^example.com$ [OR, NC]
RewriteCond %{REMOTE_HOST} ^another-example.com$ [OR, NC]
RewriteCond %{REMOTE_ADDR} ^10.100.101.102$ [OR, NC]
RewriteCond %{REMOTE_ADDR} ^10.100.101.103$ [NC]
RewriteRule .* - [F,L]

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme