Apache web server being attacked

Wed May 19 03:00:19 UTC 2010

Michael Powell wrote:
> Aiza wrote:
> 
>> I put apache13 in a jail and left inbound port 80 open in my firewall.
>> There is no domain name pointing to my web server. The content there is
>> a small apache web application that fools web
>> email address harvest programs into harvesting bogus email address from
>> web page.  http://www.monkeys.com/wpoison This is what I am doing.
>>
>> Since setting this up I have not had any bots scan the site for email
>> address. But have had port 80 attacks that did not work. MY Apache
>> access and error logs follow.
>>
> [snip log content] 
>> As you can see looks like a script kiddy is running something they dont
>> understand. "/usr/local/www/data//phpmyadmin2/config.inc.php"
>> there should only be a single / between data/phpmyadmin2.
>>
>> But beside that looks like php config.inc.php file is a target and
>> phpmyadmin also is a target. The apache return code 404 means not found
>> so no effect to me.
>>
>> Has anyone seen this junk hitting their apache web servers or have any
>> different explanation of what this means?
> 
> Sorry to tell you this, but this kind of thing goes on all the time. You can 
> fine tune mod_security for some control for SQL injection techniques, as 
> well as many other generic forms of locking down the web server in general. 
> 
> Generally speaking, the bulk of this does nothing more than filling the logs 
> - BUT - all it takes is for one app to let the attacker "leak" onto your 
> hard drive and they're in. I see a lot of scans for roundcube and 
> phpMyAdmin. Have also seen a lot of phpBB in the past. 
> 
> The attackers spew lots of requests but the needle in the haystack they are 
> looking for is that one app that has a known vulnerability. In addition to 
> securing the web server itself you should monitor any app running on it for 
> reported security flaws and keep them updated to the latest "safe" versions.
> 
> You can also add to the hardening of your web server (if Apache) with 
> various .htaccess + mod_rewrite tricks. Examples include:
> 
> # block all smarty templates (no reason to have these exposed)
> RedirectMatch gone ^/.*\.tpl$
> 
> # block all .log (log files), .sql (sql dump/export) and .conf (config 
> files) files in case some day these files move to another directory
> RedirectMatch gone ^.*\.(sql|log|conf)$
> 
> # block access to the 'Smarty-*' directory
> RedirectMatch gone ^.*Smarty.*$
> 
> # block common files present that you don't want served
> RedirectMatch gone CHANGELOG.*
> RedirectMatch gone COPYRIGHT.*
> RedirectMatch gone INSTALL.*
> RedirectMatch gone NEW.*
> RedirectMatch gone README.*
> RedirectMatch gone UPGRADE.*
> RedirectMatch gone VERSION.*
> 
> # block access to directories
> Redirect gone /upgrade
> Redirect gone /tmp
> Redirect gone /var
> Redirect gone /sql
> 
> #Redirect pesky stuff based on referrer
> Options -MultiViews -Indexes
> 
> RewriteEngine On
> RewriteBase /
> 
>  RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR]
>  RewriteCond %{HTTP_USER_AGENT} ^Morfeus [NC,OR]
>  RewriteCond %{HTTP_USER_AGENT} ^Toata [NC]
>  RewriteRule .* - [F,L]
> 
> There is much and many more, just a couple of examples for ideas. :-)
> 
> -Mike
> 
Where do I find documentation on how to enable and use apache mods 
rewrite and redirect?