I quite frequently see logentries like this:
Processing MenuController#menu (for 81.18.246.182 at 2010-09-29
21:06:22) [GET]
Parameters: {"anything"=>["phpMyAdmin",
"config", "config.inc.php"],
"p"=>"phpinfo()"}
Redirected to http://85.214.197.248/authentication/login
Filter chain halted as
[#<Proc:0xb74c7784@/home/xxx/yyy.de/releases/20100929164559/vendor/rails/actionpack/lib/action_controller/verification.rb:82>]
rendered_or_redirected.
Completed in 1ms (DB: 0) | 302 Found
[http://85.214.197.248/phpMyAdmin/config/config.inc.php?p=phpinfo();]
Obviously these guys try to find some weakness in my server. They very
often retry a list of login attempts to get some successful login
sending Parameters like this:
{"anything"=>["phpMyAdmin"]}
{"anything"=>["phpmyadmin","config","config.inc.php"],"p"=>"phpinfo()"}
{"anything"=>["pma","config","config.inc.php"],
"p"=>"phpinfo()"}
{"anything"=>["admin","config","config.inc.php"],"p"=>"phpinfo()"}
{"anything"=>["dbadmin","config","config.inc.php"],"p"=>"phpinfo()"}
{"anything"=>["mysql","config","config.inc.php"],"p"=>"phpinfo()"}
{"anything"=>["php-my-admin","config","config.inc.php"],"p"=>"phpinfo()"}
{"anything"=>["myadmin","config","config.inc.php"],"p"=>"phpinfo()"}
{"anything"=>["PHPMYADMIN","config","config.inc.php"],"p"=>"phpinfo()"}
{"anything"=>["phpMyAdmin","config","config.inc.php"],"p"=>"phpinfo()"}
{"anything"=>["p","m","a","config","config.inc.php"],"p"=>"phpinfo()"}
What''s the best way to process these hacking attempts?
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
If it''s from a consistent set of IP addresses, you can ban them. Not a full solution obviously, but a good first step.> ------------------------------------------------------------------------ > > Fritz Trapper <mailto:lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> > January 8, 2011 6:32 PM > > > I quite frequently see logentries like this: > > Processing MenuController#menu (for 81.18.246.182 at 2010-09-29 > 21:06:22) [GET] > Parameters: {"anything"=>["phpMyAdmin", "config", "config.inc.php"], > "p"=>"phpinfo()"} > Redirected to http://85.214.197.248/authentication/login > Filter chain halted as > [#<Proc:0xb74c7784@/home/xxx/yyy.de/releases/20100929164559/vendor/rails/actionpack/lib/action_controller/verification.rb:82>] > rendered_or_redirected. > Completed in 1ms (DB: 0) | 302 Found > [http://85.214.197.248/phpMyAdmin/config/config.inc.php?p=phpinfo();] > > Obviously these guys try to find some weakness in my server. They very > often retry a list of login attempts to get some successful login > sending Parameters like this: > {"anything"=>["phpMyAdmin"]} > {"anything"=>["phpmyadmin","config","config.inc.php"],"p"=>"phpinfo()"} > {"anything"=>["pma","config","config.inc.php"], "p"=>"phpinfo()"} > {"anything"=>["admin","config","config.inc.php"],"p"=>"phpinfo()"} > {"anything"=>["dbadmin","config","config.inc.php"],"p"=>"phpinfo()"} > {"anything"=>["mysql","config","config.inc.php"],"p"=>"phpinfo()"} > {"anything"=>["php-my-admin","config","config.inc.php"],"p"=>"phpinfo()"} > {"anything"=>["myadmin","config","config.inc.php"],"p"=>"phpinfo()"} > {"anything"=>["PHPMYADMIN","config","config.inc.php"],"p"=>"phpinfo()"} > {"anything"=>["phpMyAdmin","config","config.inc.php"],"p"=>"phpinfo()"} > {"anything"=>["p","m","a","config","config.inc.php"],"p"=>"phpinfo()"} > > What''s the best way to process these hacking attempts? >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No, I tested 3 IP addresses: Russia, USA, Netherlands. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
it is not wise to simply ban the ips, cause this can be a simple
botnet scanning. so, real users are not even aware of what''s foing on.
you can try to block this kind of requests on the webserver before it
goes to the rails stack like this (nginx)
location ~ \.php$ {
deny all;
}
On Jan 9, 7:44 am, Fritz Trapper
<li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:> No, I tested 3 IP addresses: Russia, USA, Netherlands.
>
> --
> Posted viahttp://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
I guess, I simply should send a 404. Since my server needs to be accessable from a quite small region and I''m uninterested in getting it indexed by search engines, it would be possible to reject any request, that comes from outside the region. How to programmaticaly get the origin of an IP address? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
I wouldn''t bother doing that from Rails. That''d be easier to set up either at the firewall or web server level. Would use a lot less resources. Simon On Sun, 09 Jan 2011 19:35:23 +0800, Fritz Trapper <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> I guess, I simply should send a 404. > > Since my server needs to be accessable from a quite small region and I''m > uninterested in getting it indexed by search engines, it would be > possible to reject any request, that comes from outside the region. > > How to programmaticaly get the origin of an IP address? >-- Using Opera''s revolutionary email client: http://www.opera.com/mail/ -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
That''s also not very wise, since I occasionally use phpmyadmin myself. (In normal mode, it is stopped and a cronjob stops automatically every night for security.) -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Fritz Trapper wrote in post #973449:> That''s also not very wise, since I occasionally use phpmyadmin myself. > (In normal mode, it is stopped and a cronjob stops it automatically > every night for security.)That''s not wise at all. PhpMyAdmin has known security holes, and there are better MySQL admin tools available anyway. Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org Sent from my iPhone -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
And what about webmin? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Please quote when replying. Fritz Trapper wrote in post #973537:> And what about webmin?What about it? Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org Sent from my iPhone -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.