quoth the Mark Knecht:
> If you see it happening always from the same IP address then you can
> ask your ISP to block, but other then that I do not know
No need to bug your ISP, just drop packets from the offending IPs in your
firewall. Everyone that runs a public webserver (including myself) collects
logs full of this crap.
What I am not clear on though...is whether these are actually active
script-kiddie attacks, or just zombie PCs with no human interaction hammering
away at whatever box they can find.
I get lot's of log entries like:
"GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir"
clearly trying to exploit a windows box. Seems to me any script kiddie that
isn't a *total* idiot will be able to figure out quite easily the OS of his
target, which leads me to believe that it is a zombie PC launching these
"attacks".
The upshot of this is that you can spend 12 hours a day manually blocking IP
addresses, and all you really accomplish is blocking an IP, or block of IPs
used by some fool that doesn't know his wintendo box is full of viruses.
My advice: just ignore, and be thankful you run Linux. If you want to sort all
this cruft out of your logs just do something like:
# grep -v ".exe" access_log > good_log
Not perfect, as you may filter some legit requests doing this....
-d
--
Part of the problem since 1976
http://badcomputer.no-ip.com Get my public key from
http://keyserver.linux.it/pks/lookup?op=index&search=bulliver "...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972