Security Incidents mailing list archives

Re: strange HTTP scan/attack?

From: Bryan Andersen <bryan () visi com>
Date: Tue, 28 Nov 2000 18:30:22 -0600

Jim Bacon wrote:


I am seeing someone repeating hitting a CGI script with a HEAD request and
then submitting a query of the form:

[snip]

Can anyone offer any clues tp what this is and what I can do about it?  It
appears to be originating from a UUnet dialup in the UK, so any complaints
to a live human are impossible and email complaints just an excercise in my
typing practice.


First: Block the host IP or netblock at your firewall if possible.
       If you don't have that control, go into your web server and
       use it's access controls to lockout that host.  For Apache
       it would look something like this:
            <Location /cgi-bin>
               Order deny,allow
               Deny from hostname.or.IP.number.of.offender
               Allow from all
            </Location>
        This would go along with statements like it in the config file.
        You will need to restart Apache, but you can use the gracefull
        option.

Second: Still send that email to uunet about the abuse, they need to
know.


--
|  Bryan Andersen   |   bryan () visi com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

Current thread:

strange HTTP scan/attack? Jim Bacon (Nov 29)
- Re: strange HTTP scan/attack? Anne Marcel Roorda (Nov 30)
- Re: strange HTTP scan/attack? Bryan Andersen (Nov 30)