Blocking the Idiot’s Machines

Finally got sick and tired of getting “oversized record” messages from Webalizer each morning from it trying to process Apache logs with lines 3000+ charachers long, mostly consisting of “\x0\x0” characters…. obviously automated zombies trying to exploit IIS vulnerabilities. Learned a bare minimum of iptables to put in a bunch of block rules, and it seems to work. Eventually I’ll have it do more interesting and complex things, but this should work for now. If you suddenly can’t get to this site, let me know. If you want to let the owners of any of the following IP addresses that they’re infested and/or hax0rs, feel free to read more…

142.232.84.12
24-240-207-133.charter.com
24.178.76.76
c-24-12-247-131.client.comcast.net
c-24-5-175-8.client.comcast.net
cdr29-34.accesscable.net
clt85-254.carolina.rr.com
cpe-024-165-214-053.midsouth.rr.com
dsl092-251-229.sfo4.dsl.speakeasy.net
fctn1-2971.nb.aliant.net
lsanca1-ar8-4-63-237-123.lsanca1.dsl-verizon.net
modemcable049.210-203-24.mc.videotron.ca
ns1.chisso.co.jp
ol167-171.fibertel.com.ar
ool-18bde74e.dyn.optonline.net
p7015-ipbffx02sizuokaden.shizuoka.ocn.ne.jp
s0106000629704241.va.shawcable.net
s010600080dd6dc60.va.shawcable.net
s0106000c6efe65d0.va.shawcable.net
s0106000d87d7c1cb.va.shawcable.net
s01060020ed4372ad.vn.shawcable.net
s01060020ed60c2e7.ed.shawcable.net
s010600402b2d7fa0.vs.shawcable.net
s010600402b367a85.vw.shawcable.net
s01060040ca379c42.vs.shawcable.net
s01060040ca566a01.va.shawcable.net
s010600508badee08.vs.shawcable.net
s01060080c6f1eea2.vn.shawcable.net
s010600d009e421c7.vs.shawcable.net
shw43-10.accesscable.net
user-0cdf1m1.cable.mindspring.com
zux006-009-172.adsl.green.ch

4 Comments on “Blocking the Idiot’s Machines”

  1. IIRC the changelog entry for the last debian upload of webalizer mentions a patch that fix this problem.

  2. My hourly webalizer cronjob has been doing that for years, but I’ve been redirecting it’s bitching to /dev/null 🙂
    Is there a nice way of sanitizing the log file? I guess a bunch of grep -v’s will do it.

  3. naked apache # cat arcterex-access.log | grep -v “\x0” arcterex-access.log > arcterex-access.log.new
    naked apache # mv arcterex-access.log.new
    naked apache # /etc/init.d/apache stop
    * Stopping apache…
    naked apache # mv arcterex-access.log.new arcterex-access.log
    naked apache # /etc/init.d/apache start
    * Starting apache…