store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Jul 26, 2014 9:09 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: block vulnerability scans on default domain
Unread postPosted: Sun Feb 19, 2012 9:23 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2023
Please can we have a rule that looks for vulnerability scans on the default domain/IP on a Plesk server?

I'm not sure that there is ever a valid reason for a "File does not exist" error to occur in /vhosts/default, so multiple consecutive errors of any kind in this path might be all that's required to indicate a scan?

e.g. in /var/log/messages/httpd/error_log I often see something like this:

Code:
[Sun Feb 19 03:58:17 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin
[Sun Feb 19 03:58:18 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2
[Sun Feb 19 03:58:18 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/php-my-admin
[Sun Feb 19 03:58:18 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.2.3
[Sun Feb 19 03:58:19 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.2.6
[Sun Feb 19 03:58:19 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/typo3
[Sun Feb 19 03:58:20 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin
[Sun Feb 19 03:58:20 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/websql
[Sun Feb 19 03:58:20 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpmyadmin
[Sun Feb 19 03:58:21 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpmyadmin1
[Sun Feb 19 03:58:21 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpmyadmin2
[Sun Feb 19 03:58:22 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/pma
[Sun Feb 19 03:58:22 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/web
[Sun Feb 19 03:58:22 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.5.4
[Sun Feb 19 03:58:22 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/xampp
[Sun Feb 19 03:58:23 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.5.5-rc1
[Sun Feb 19 03:58:23 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/web
[Sun Feb 19 03:58:23 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.5.5-rc2
[Sun Feb 19 03:58:23 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/php-my-admin
[Sun Feb 19 03:58:23 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.5.5
[Sun Feb 19 03:58:23 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/websql
[Sun Feb 19 03:58:24 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin
[Sun Feb 19 03:58:24 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2
[Sun Feb 19 03:58:24 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/php-my-admin
[Sun Feb 19 03:58:25 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.2.3
[Sun Feb 19 03:58:25 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.2.6
[Sun Feb 19 03:58:25 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.5.1
[Sun Feb 19 03:58:26 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpmyadmin
[Sun Feb 19 03:58:29 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.5.5-rc1
[Sun Feb 19 03:58:29 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpmyadmin1


But the IP in question is not blocked (at least I don't see any evidence of it in the ASL GUI)

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: block vulnerability scans on default domain
Unread postPosted: Sat Jun 30, 2012 4:01 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 643
That can happen when a domain is removed from the server but no one updates the dns, so all requests hit the mai. Default site. It happens to us all the time when we take down fraud sites, malware hosts, etc and the do ains are registered so ewhereelse so we cant modisy or freeze the dns. Its not a scan but it sure is annoying. We toyed with using the arbor to block upstream but found it was a waste of money to use itfkr that since the extra load it was adding was very small.


Top
 Profile  
 
 Post subject: Re: block vulnerability scans on default domain
Unread postPosted: Sat Jun 30, 2012 6:39 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2023
I didn't think of the possibility of removed domains. Interesting!

But in this particular case I would say that

Code:
Sun Feb 19 03:58:25 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.2.3
[Sun Feb 19 03:58:25 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.2.6
[Sun Feb 19 03:58:25 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.5.1
[Sun Feb 19 03:58:26 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpmyadmin
[Sun Feb 19 03:58:29 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpMyAdmin-2.5.5-rc1
[Sun Feb 19 03:58:29 2012] [error] [client 74.208.77.49] File does not exist: /home/httpd/vhosts/default/htdocs/phpmyadmin1


is most definitely a scan, looking for (vulnerable?) phpmyadmin installations.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: block vulnerability scans on default domain
Unread postPosted: Sun Jul 01, 2012 4:26 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3600
Location: Chantilly, VA
Just open a feature request for it in the support portal, so we capture all the nuances of what you are looking for. I think you have two cases you want the system to block, scans against the default domain (which shouldnt really ever see anything in the way of traffic, so that may be the trigger, traffic or too much it), and too many 404s for a domain. I dont want to miss any details, so if you can open a request in the support portal that would be perfect (open a bug, set the type to "Feature").

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: block vulnerability scans on default domain
Unread postPosted: Sun Jul 01, 2012 5:00 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2023
will do as soon as I have some nice examples again.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Bing [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group