Since some weeks we have an intruder which is exploiting us and poisoning us with the Virus Unix/RST.A I found now how it happens at it isn't clear to me what he is doing.
I found in the apache log file some interesting strings.
Repeating entries as this ip-hide - - [10/May/2005:19:58:00 +0200] "\v\xa5\xe5)(\xdd\xb7|\xd5\xad&\xd79" 400 - "-" "-"
Have you not heard of mod_security? SecFilterSelective THE_REQUEST "ip-hide" would stop this attack cold.
So would: SecFilterSelective THE_REQUEST "\.\."
<http://www.modsecurity.org/>
Paul Schmehl (pauls@xxxxxxxxxxxx) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/