Spammers IPs from Apache access log, what to do with them?




an spammer injected .php file which sent out spam
i got list of around 40 IPs that accessed this malicious .php file in last 2 hours sice it was uploaded ( / BjtRC40Z).
Should i do anything about this IP list, report it somehow or let it be? I think these IPs can be some kind of botnet, infected PCs maybe

Be careful that any web app on the internet is completely patched. That goes triple for any themes used, which are a MAJOR security liability based on history.

Depending on the purpose of your website, you may be able to reduce the attack surface drastically by blocking parts of the world who will never purchase anything (legally) from you or your company. There are geo-location subnet lists which can be used to block those places. If you are only sharing information without any revenue expectations, then you can be more agressive towards blocking.

For example, I block much of Russia, Romania and China because subnets there showed up in my logs with common attack methods. Initially, I blocked using normal iptables methods, but as I saw more and more harmful user-agents wasting our bandwidth, I started blocking based on those in the reverse proxy layer. Eventually, the number of manual entries in my subnet block list has grown to over 7000. Just added another "SEO" webcrawler yesterday because they steal content and their business model is around NOT helping us make sales. People stealing our bandwidth is not ok - especially for dynamic content.

For the static content, it doesn't matter too much, provided gzip is supported. I worked hard to optimize our site and to reduce the total size for each page requested. Crawlers that don't support gzip are just lazy, so I ban them.

Of course, there are other opinions.
BTW, the most important thing for server security is having excellent, versioned, backups for 30-120+ days that can be restored to different hardware, in a different physical location.
Last edited:

Members online