Prevent and block scan? (w00tw00t, tmUnblock.cgi etc) - Printable Version +- Linux-Noob Forums (https://www.linux-noob.com/forums) +-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html) +--- Forum: Security and Firewalls (https://www.linux-noob.com/forums/forum-87.html) +--- Thread: Prevent and block scan? (w00tw00t, tmUnblock.cgi etc) (/thread-81.html) |
Prevent and block scan? (w00tw00t, tmUnblock.cgi etc) - moon - 2014-09-26 Hi, I have often these lines in /var/log/apache2/access.log: 185.27.36.67 - - [25/Sep/2014:12:25:46 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 393 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 58.241.61.162 - - [25/Sep/2014:12:30:57 +0200] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 431 "-" "ZmEu" 58.241.61.162 - - [25/Sep/2014:12:30:58 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 421 "-" "ZmEu" 58.241.61.162 - - [25/Sep/2014:12:30:59 +0200] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 401 580 "-" "ZmEu" 58.241.61.162 - - [25/Sep/2014:12:31:00 +0200] "GET /pma/scripts/setup.php HTTP/1.1" 404 415 "-" "ZmEu" 58.241.61.162 - - [25/Sep/2014:12:31:00 +0200] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 419 "-" "ZmEu" 58.241.61.162 - - [25/Sep/2014:12:31:05 +0200] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 419 "-" "ZmEu" 211.24.56.24 - - [25/Sep/2014:14:53:55 +0200] "GET /tmUnblock.cgi HTTP/1.1" 400 431 "-" "-" 89.207.135.125 - - [25/Sep/2014:15:23:54 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 427 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" What is the best way to prevent this and block the scans? Thank you very much in advance Prevent and block scan? (w00tw00t, tmUnblock.cgi etc) - inittux - 2015-11-25 I know this is an old post but you could use iptables to block the ip but since scans like this usually come from random ip's you could use <a data-ipb="nomediaparse" href="http://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter">fail2ban</a> |