Tweet
I'm not sure if any one here runs any sort of host IDS or some other log analysis on their web logs, but I noticed an uptick in apache/httpd 404 errors similar to this:
I keyed on the "++liker.profile_URL++" string and a google search yielded a definitive answer. But the consensus appears to be that these are triggered by spam bots trying to drop/inject URL (links) on any website via comment forms, html forms, etc.
Several weeks ago I implemented a custom OSSEC rule:
The above basically strings off a 404 error match and checks for the request type and regex's for the liker.profile_URL string in the http request. I don't even have a composite rule for frequency right now. I immediately set level=6 so it blocks the IP on a single event of this type (my OSSEC active response triggers off of level >= 6). This may be a bit strict, but I figure if this 404 is caused by a spam bot, why bother with checking or multiple requests in specific time span?
Has anyone else come across this behavior in their environment?
Has anyone else mitigated these bots? What was your method?
Code:
84.240.9.6 - - [02/Jun/2014:03:36:49 -0700] "GET /++liker.profile_URL++ HTTP/1.0" 404 30425 "http://www.ocabj.net/++liker.profile_URL++" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.13014 YaBrowser/13.12.1599.13014 Safari/537.36"
Several weeks ago I implemented a custom OSSEC rule:
Code:
<rule id="101007" level="6">
<if_sid>31101</if_sid>
<regex>+liker\.profile_URL+</regex>
<match>GET</match>
<description>Link dropping spam bot.</description>
</rule>
Has anyone else come across this behavior in their environment?
Has anyone else mitigated these bots? What was your method?
