iptables to block user agent - what am I doing wrong.
For over a month now I have been receiving thousands (3 or 4 every second atm) of the following on one of my domains:
Code:
78.137.95.141 - - [20/Oct/2013:20:39:50 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Code:
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP I don't know if what I am trying to do is possible but I am starting to clutch at straws now as I don't want to leave it till the traffic is so high I have to close down the domain completely. OS: CentOS 6.4 |
Try:
Code:
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" --to 1000 -j DROP Code:
wget --random-wait -r -p -e robots=off -U Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) http://domain.com Code:
wget --random-wait -r -p -e robots=off -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://domain.com I use .htaccess or httpd.conf for user_agent blocking, but that's just "me". I've never tried it with UA strings in an iptable rule, but it could work. |
Many Thanks
Thank you so much, that seems to have done the job! :hattip:
I would be interested to know if people think there is another, better way to deal with this? I have to sort out the SMTP request from the virus now but that is for another day |
Glad it works using iptables!
Here's how I deal with it using .htaccess Open a terminal and > Code:
wget --random-wait -r -p -e robots=off -U "Widow" bournetoraiseshell.com That's using .htaccess. If you have root access you can modify the apache|httpd.conf file, OR if you don't have access to those configuration files, then you can use .htaccess. Fine tuning can be done on a site-by-site basis if you use http.conf or .htaccess. (some requests may be 'legimate'?) I'd be happy to post the meat-and-potatoes of it. Subscribed with interest... Virus? spewing spam are we? |
Hi Habitual
Unfortunately although the iptables method blocked the required traffic, it caused loads of Apache child processes which refused to die and then caused the system to become unstable. I would be most interested in the .htaccess method, it sounds like the solution I need. I have full root access but it is only one domain that is affected so I will use .htaccess rather than http.conf. Thanks |
ouch. Sorry about that!
I don't know how to write that string. I have to 'borrow' from examples I find on the net. Check this out --> http://stackoverflow.com/questions/1...ttack/18046104 That "drop" example doesn't include the option I gave: Code:
--to 1000 Have you checked your domain at http://www.unmaskparasites.com/ ? It's a very good place to see if your site is up to something nefarious. Pay particular attention to entries in the External References section. Why do you believe it's PushDo? some santiized (masked IP of the host) logs would help for analysis... More experienced gurus may have something else to include/offer. Again, Sorry. |
No need to apologise, you were trying to help and it almost worked.
I probably wasn't clear in my first post - It is not my server that is infected but is is being contacted by infected machines. The later variants of the Pushdo virus (and probably a few others now) are masking their true command and control systems by also contacting 300 other non infected sites (See here) This does not fit exactly with my problem as they describe a GET request whereas I am receiving POSTs but I have seen other reports of variants using POST. I am not 100% certain that this is the problem but unfortunately it looks like the algorithm used to choose these 300 domains is occasionally coming up with mine :( I am also receiving SMTP traffic from the same IPs, which fits in with the Pushdo 'modus operandi' as it also tries to send Spam at the same time. All I want to do is block the requests. I can slow it down a bit with Fail2Ban on both the SMTP and HTTP side but the overhead for banning 100K+ IPs is quite high (even when using IPset - thanks to advice from this forum!) I don't actually think there are that many infected systems contacting my domain, but rather the IPs are spoofed (I have yet to find a definitive answer on this). Inspecting the incoming packet TTLs with tcpdump *seems* to indicate 4 different sources but this is a VERY unreliable method. Also the steady stream of traffic would point to a low number of sources as there are no peaks and troughs as there would be if all these IPs were real?? If all the thousands of IPs I have logged were real I am sure they would have swamped the server a long time ago! Sorry for rambling, but any help is gratefully received. Scott |
Scott:
Are you seeing any s_nn log hits as described here? Do you have legitimate smtp traffic? One small step could be drop all traffic for outdated user_agents such as MSIE 6.0? Have you done an rkhunter scan? John |
Hi John
Quote:
Quote:
Quote:
Quote:
Code:
RewriteEngine on Thanks again Scott |
If they are all MSIE 6.0 user_agents and you want to deny them, then
Code:
RewriteEngine On Code:
wget --random-wait -r -p -e robots=off -U "MSIE 6.0 1.2" domain.com My intent on sending you to that blog was for you to examine your log files more intently. :) I've even asked for sanitized records from it... |
For some reason that produces a redirect on any browser I have tried? (Firefox, Chrome and IE)
|
I don't know, it must be something specific to the httpd version.
I cannot tell on my shared hosting at GoDaddy what version I'm bound to. |
Sorted! (Hopefully)
I used the following and it is working:
Quote:
|
http://wordpress.org/support/topic/u...th-post-status
suggests changing your IP (A record) and using iptables with the drop rule. |
That does look like it is the same thing. Strangely the requests in that log are already showing that they being 301 redirected?
Changing IP will not help as the traffic is resolving from the domain name so it would just move to the new IP, and dropping the domain name is not an option. I have tried the iptables rule they suggest but it does the same as the one tried before - blocks the traffic but creates lots of Apache child processes. |
All times are GMT -5. The time now is 03:26 PM. |