On Mon, 2011-08-29 at 14:49 -0500, Les Mikesell wrote:
Ummm, 30,000 isn't a particularly big number of hits to an apache server, especially if all it has to do is respond with a 'file not found'. But you are probably wise to be defensive.
If it was the usually 50 to 100 phpmyadmin attempts from a single IP address, that single IP address can be blocked in IPtables.
The current lunatic could continue his attacks for several months. That probably means several hundred IPs, perhaps thousands, blocked for that one small web site. By splitting the targeted web site from the others, everything I do in IPtables should have little adverse effect on the server's other activities which use different IP addresses. I am trying to isolate the problem and then experiment to devise a re-usable solution for future persistent attacks, if any.
That probably means the intrusion is self-propagating. That is, if the target is running some vulnerable php version or application, it is able to install a copy of itself and start over.
In this particular incident, I am reasonable certain the loony is using tools to find vulnerable IPs and then manually feeding the address into his scrip.
As long as you aren't vulnerable yourself, I don't see the point of wasting human hours to save machine microseconds. And this is a tiny bit of the viruses and automated intrusion attempts happening in the wild so unless you can generalize it into a fail2ban type of process your time would be better spent making sure your systems are up to date and inherently secure.
I spent several hours today examining firewalls, questioning the set-up and tightening-up.
If that is the first instance you've seen, you must have a low-profile site.
First instance that has continued for more than 24 hours; and first with 30,000+ hits. Never ever advertise but top in Google's listing for a few distinct items and in the top 5 for a few other items.
And no, web applications have their own bugs and vulnerabilities on Linux too. And if you aren't fairly close to up-to-date on the base distribution, those exploits can get root access.
Always keen to update to the latest releases. I've seen too many Windoze machines run by others hacked and infected.
The last one I bothered tracking down used a java/spring vulnerability to run something to trigger a local root exploit in glibc (that I think was fixed in the 5.4 or 5.5 update) but there are probably newer ones - and more we don't know about.
Our browsers never run Flash or Java - the potential risk is perceived as too great.
Paul.