1) Okay, you need to make your "report" - this a complete forensics of all the IP's with a complete log example to send to the their authorative technical and abuse contacts.
2) You can use a script to drop all such exploits to the iptables deny file?  
It's going to look like something like this (you are going to have to play with your logfile sed/awk statement to be sure that the field $7 is the seventh from the left and that the sed statement gets the full ip string correct before implementing).  Season to taste (any of the unique statements from your logs will work):
#!/bin/bash
rm -f ttt
touch tmp
# disabled IPs can be obtained from /etc/sysconfig/iptables
grep DROP /etc/sysconfig/iptables|awk '{print $5}' >tmp
# ------------------------ DoS attacks rule -------------------------
#identity mismatch in secure
grep Did /var/log/secure|awk '{print $12}' >>tmp
#Invalid user
grep "Invalid user" /var/log/secure|awk '{print $10}' >>tmp
#  Maximum Login
grep "Maximum login" /var/log/secure|awk '{print $7}'|sed 's/.*\[\(.*\)\])/\1/g' >>tmp
#  humano
grep "humano" /var/log/apache/access_log|awk '{print $7}'|sed 's/.*\[\(.*\)\])/\1/g' >>tmp

# ------------------ reduce redundant IPs from tmp file -------------
size=`/usr/bin/wc tmp|awk '{print $1}'`
i=0
while test $i -lt $size
do
  us=`sed -n 1p tmp`
  sed /$us/d tmp >tmps
  echo $us >>ttt
  cp -f tmps tmp
  size=`/usr/bin/wc tmp|awk '{print $1}'`
done
rm -f tmp tmps temp0 temp
#
# ------------------ activate detected IPs --------------------------
size=`wc ttt|awk '{print $1}'`
size=`expr $size + 1`
/sbin/iptables -F
i=1
while test $i -lt $size
do
  ip=`sed -n "$i"p ttt`
  i=`expr $i + 1`
/sbin/iptables -A INPUT -s $ip -j DROP
done  
# -----------------end of shell script test -------------------------  



www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis | http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
--- On Wed, 12/3/08, Lisa Kachold <lisakachold@obnosis.com> wrote:
From: Lisa Kachold <lisakachold@obnosis.com>
Subject: RE: OT: Website Exploits
To: klsmith2020@yahoo.com, plug-discuss@lists.plug.phoenix.az.us
Date: Wednesday, December 3, 2008, 3:58 PM

It appears as though someone is attempting to  access http://humano.ya.com via a redirect.
It's is probably not a "real" exploit but a miscrafted URL referral.

Without more information related to the contents of your index.php, I can't tell you what exactly they are exploiting.  However, since the page they are going to doesn't appear to be a google ad site or phishing site, I would just call this a mistaken URI fat fingered redirect from some place?
But here's the basic steps for "forensics" of any such problem (even the exploitive ones):
1) Where is it coming from?  Your log should have a complete source IP?
Cut and splice the complete log report example into your "forensics" report.
Include your TIMEZONE for their edification.  
Include the date of the first attack using grep on your logs.  Add frequency or whatever else is unique about it.
If the issue or attack comes from multiple sources, indicating bots, include that information also.
2) Run a whois on the source IP and see who is the Swip'd IP block owner, domain name, and access that page for additional information.
Cut and splice the technical contact for that block into your "report".
3) Go to the referral site (http://humano.ya.com) and find their email address to add to the "report".
4) Send a copy of the referring ip address to your firewall administrator to deny for port 80/443, or add to your server based IPTABLES deny via a one liner:

iptables -A INPUT -s $ipaddress -j DROP
/etc/init.d/iptables save
5) Include your name and address, contact information and statement of confidentiality.
www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis | http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452

Catch the January PLUG HackFest!   Kristy Westphal, CSO for the Arizona Department of Economic Security will provide a one hour presentation on forensics.

Date: Wed, 3 Dec 2008 14:39:40 -0800
From: klsmith2020@yahoo.com
Subject: OT: Website Exploits
To: plug-discuss@lists.plug.phoenix.az.us


Hi,

I am working on a website that gets a lot of exploit attempts.

They mostly look like this:  /index.php?display=http://humano.ya.com/mysons/index.htm?

Our code is set to disregard any value that is not expected. 

I'm wondering if there is a clearing house for reporting this type of stuff.  I have the IP address as reported.... if that is accurate.

Thanks in advance!

Keith




Send e-mail faster without improving your typing skills. Get your Hotmail® account.


You live life online. So we put Windows on the web. Learn more about Windows Live