ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Post attack

https://mail.forum.configserver.com/viewtopic.php?t=8006

Page 1 of 1

Post attack

Posted: 30 Jul 2014, 11:10
by vmicovic
Hello,

i get post attack on one website:
174.124.254.155 - - [30/Jul/2014:11:07:33 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
130.0.155.49 - - [30/Jul/2014:11:07:34 +0100] "POST / HTTP/1.0" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
122.179.163.63 - - [30/Jul/2014:11:07:34 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
95.7.18.120 - - [30/Jul/2014:11:07:36 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
93.156.156.128 - - [30/Jul/2014:11:07:37 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
122.179.163.63 - - [30/Jul/2014:11:07:37 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
79.174.248.129 - - [30/Jul/2014:11:07:39 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
2.37.87.148 - - [30/Jul/2014:11:07:42 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
180.249.140.233 - - [30/Jul/2014:11:07:42 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
210.212.213.228 - - [30/Jul/2014:11:07:45 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
114.146.104.44 - - [30/Jul/2014:11:07:46 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
71.50.116.151 - - [30/Jul/2014:11:07:47 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
93.42.84.179 - - [30/Jul/2014:11:07:47 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.247.77.56 - - [30/Jul/2014:11:07:49 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
122.179.163.63 - - [30/Jul/2014:11:07:49 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
213.149.18.191 - - [30/Jul/2014:11:07:50 +0100] "POST / HTTP/1.1" 302 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
and have many more IP`s.
I made workaround with htaccess:

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "MSIE 6.0"
RewriteRule ^(.*)$ http://127.0.0.1:445$1 [R,L]

But problem is that attack is there 2 days...
Is there option to automatic block those post attacks with csf?
(something like, more than 3 post from same IP, to block)


thank you.

Re: Post attack

Posted: 01 Aug 2014, 15:09
by Sergio
yes, you can create a regex an add it to the regex.custom.pm file in your CSF, check the readme file.

Check the sticky to see some regex rules and use them as examples to create yours.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited