[nsp-sec] Web Server Attack
Scott Fendley
scottf at uark.edu
Sat Jul 25 22:39:31 EDT 2009
Good evening all,
Attached is a list of IP addresses sorted by AS number from activity
directed at one of our web servers here. It appears from my initial analysis
is that intruders added some extra files on this server and had a botnet
attempt to access these files for an as of yet unknown purpose. Due to the
number of attempts originating from this botnet, the web server came
tumbling down. We have taken steps to block this activity, but wanted to
provide info to those who can try to clean up infected computers.
The URL String of each of these was of the form
VirtualHostName remoteIP - ddos [25/Jul/2009:20:54:01 -0500] "GET
http://VirtualHostName/media/files/?????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????
?????????????????????cheap-cialis HTTP/1.1" 404 808 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0; ru) Opera 8.00" "-"
Thanks for your assistance in getting these infected customers cleaned up.
If you have questions, please feel free to contact me directly.
Scott Fendley
IT Security
University of Arkansas
479-575-2022
More information about the nsp-security
mailing list