A little more investigation into my apache error logs this morning on
some wordpress sites and I found the following from different IP
addresses. It does appear that people are attempting some kind of buffer
overflow against wordpress sites.
[Fri Jul 08 07:25:33.444036 2016] [core:error] [pid 19186:tid
140183949231872] (36)File name too long: [client 40.77.167.95:8985]
AH00036: access to /\xe2\xc
\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xa0\xc3\xa2\xe2\x82\*_(I
shortened this by 4782 characters)_*-global-warming.html failed
(filesystem path '/home/_removed_/htdocs/
Again this is appearing only in error logs, not actually in access logs.
What it appears they are doing is calling the site and inserting this
string in between some valid permalinks. So for instance
http://yoursite.com/something.html becomes
http://yoursite.com/\xe2\xc\x83\x26-something.html
Anyone else seeing this behavior on any wordpress sites?
I think I must join the Apache user mailing list on this one. Not really
a Fail2Ban issue but I do think it would be nice for Fail2Ban to be able
detect things like these random strings and have a filter for blocking
them for good.
On 2016/07/09 12:56 AM, [email protected] wrote:
A guy on the apache user mailing list was able to talk with the guys
doing this scan, here is the response:
Okay Red-Tail Books, I got more information for you! This is the
latest response I got:
"The malware is installed via a range of vulnerabilities including
social engineering. This scan is really testing for the malware's
rendezvous protocol for command and control. As a rule, we have been
informing law enforcement about infected machines and they have been
doing victim notification and thus if your correspondent is infected
they will be contacted. However, I believe that this particular
malware works exclusively with IIS and thus an Apache user is unlikely
ot have much to worry about. Unfortunately, I don't know the precise
meaning of the string or what it elicits and Paul (cc'd) who is the
grad student lead on this project is currently away on his honeymoon,
but I'm sure we can respond more succinctly once he returns"
So, it seems that you're in the clear and have nothing to worry
about, mainly because you're running Apache and not IIS. I wish I
could answer what the actual hex string means and what Apache
responded with. Perhaps when Paul gets back from his honeymoon,
we'll receive an answer.
Best of luck.
Ken.
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
