3

I'm sure your HTTP logs, like mine, are full of 404 errors of various probes for common vulnerabilities and such:

File does not exist: /www/XXXXXX.XX/data/email
File does not exist: /www/XXXXXX.XX/data/exchange
File does not exist: /www/XXXXXX.XX/data/logon.asp
File does not exist: /www/XXXXXX.XX/data/phpMyAdmin
File does not exist: /www/XXXXXX.XX/data/vtigercrm

...and so on.

In the email world, one cool trick we can use is greylisting and/or tarpitting, forcing spammers to spend more resources waiting and/or queuing and retrying deliveries, possibly raising their costs and thus doing something good to the world. Also, later in the chain, tools like DCC/Razor/Pyzor do use feedback to a central site to make anti spam systems work better.

I'm now wondering if there is anything similar we can do to those nasty HTTP probes that could be useful or, at least, funny. Like HTTP Redirect them somewhere else... I guess most of the times the client won't follow the redirect but maybe sometimes it will, so we can send him to some honeypot, tarpit, or whatnot. (I doubt any human will ever see that redirect so redirecting them to some goatse won't have any coolness bonus :) )

Luke404
  • 5,708
  • 3
  • 44
  • 58
  • 1
    You could always rickroll them. – ceejayoz Apr 30 '12 at 16:01
  • I do not agree with the closing: my question involves actual facts and tries to solicit constructive discussion about what could be done to improve the whole situation, possibly using statistical informations gathered from the probe events (in the email world that's the basis for most of the success against spammers) – Luke404 May 03 '12 at 08:23

1 Answers1

1

I cant think of a useful thing to do, but you can have code to redirect the scanner back to the connecting ip address. Or if you don't mind the open connections, have some php or other code sleep for 5-10 seconds or more before sending a redirect, a 404, or some 500 error.

becomingwisest
  • 3,278
  • 19
  • 17