[kwlug-disc] Apache 403 & access.log questions

Khalid Baheyeldin kb at 2bits.com
Thu Apr 4 22:18:00 EDT 2019


On Thu, Apr 4, 2019 at 9:35 PM Charles M <chaslinux at gmail.com> wrote:

>
> Second question. In the access.log I saw a line that begins:
>
> 103.67.235.45 - - [04/Apr/2019:20:33:27 -0400] "POST
>
> //?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo+R0lGOD
>
> It goes on for something like 30 lines at the end of which is an
> apache 414 error. It looks to me like someone is trying to hack the
> site (drupal). Is it worth just dropping/blocking the IP?


This is an attempt to exploit sites that are vulnerable to this SA

https://www.drupal.org/sa-core-2018-002

The 414 error is 'request too long', so the hackers did not write proper
exploit attempts.

If you upgraded then you are not vulnerable.

You can block the IP address, but they will be back from others, so arms
race scenario.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20190404/19365a08/attachment.htm>


More information about the kwlug-disc mailing list