# someone trying to hack my box?

## jimlynch11

ok so it appears that someone is trying to hack my apache server, based on the logs.  it also appears they are under the assumption that i have a NT based machine (suckers).  here is a quick quote of what iv found:

 *Quote:*   

> 
> 
> 24.189.230.118 - - [16/Jun/2003:01:08:43 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 274 "-" "-"
> 
> 24.189.230.118 - - [16/Jun/2003:01:08:43 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 272 "-" "-"
> ...

 

this occurs a few times in the logs, from a few different IP addresses.  luckily it doesnt appear they have had much success. .bash_history doesnt have anything suspicious in it for root

Three questions:

1) how do i make sure that they havent gotten access

2) other than reporting them to their ISP, how do i let them know to watch out (i.e. a script that will block all connections from their IP or something)

3) any quick ways to tighten up my box? (iv only got the http and sshd ports open on my firewall

thanks for the help guysLast edited by jimlynch11 on Mon Jun 16, 2003 1:24 pm; edited 1 time in total

----------

## EvilN

Yes and no.

These seems to be worms form people who cant seem to realize the importance of keeping their machines up to date.

Their webservers are infected with worms that try to infect other machines.

Since you are running apache I think you are in the clear but it could be a good idea to check their site for security holes in you release of apache.

----------

## dolbz

well. First off notice that these are all windows based commands. i.e. cmd.exe is to access the windows dos prompt and people who have misconfigured iis could have this available. Therefore for entries like this in your logs you've got nothing to worry about as they are windows exploits. And if they aren't even clever enough to check what server you're running by trying to get a error 404 (assuming you're server shows the standard apache error message) then they're not gonna be able to do much damage to be honest.

As for blocking their IP it might not be the best idea if it's dynamically assigned because soemone else will end up with it, although it wont harm anyone unless they want to view your site. I dont know IP tables but it can be configured to deny access for specific IP addresses as far as I know.

As for quick tips for securing your box. just disable any server options you dont need and if anyone ever does get in you'll learn from your mistake (if you made one) lol

Dolbz

----------

## paranode

I get dozens of these a day.  It's just something you have to put up with when you run a publicly-available web server.  The Gentoo Linux Security Guide has some good pointers on how best to secure your machine in case it was somehow vulnerable to a new worm or exploit.

----------

## DrkPlague

in the security groups, we call this background radiation.  its when you start seeing multiple sweeps from the SAME IP that there is an issue.

----------

## jimlynch11

 *DrkPlague wrote:*   

> its when you start seeing multiple sweeps from the SAME IP that there is an issue.

 

thats pretty much what is happening...iv had like 10 or so of the same attempts by 3 IPs

----------

## uzik

 *EvilN wrote:*   

> Yes and no.
> 
> These seems to be worms form people who cant seem to realize the importance of keeping their machines up to date.
> 
> 

 

Being up to date and being free of virii aren't necessarily synonymous.

A lot of times it's a matter of removing stuff you don't use, getting a

firewall setup right, and chosing the right software for the job you want

to do. If they were smart they probably would be running Gentoo and they

wouldn't have so many problems   :Laughing: 

 *EvilN wrote:*   

> 
> 
> Their webservers are infected with worms that try to infect other machines.
> 
> Since you are running apache I think you are in the clear but it could be a good idea to check their site for security holes in you release of apache.

 

Apache has some vulns too, just not those vulns.

----------

## Deathwing00

I also had lots of those kind of worm attacks everyday... it seems the ones that have the infected servers have knowledge of it and still do nothing. Perhaps they are VIRII and want to use this type of methods in order to propagate worms...   :Crying or Very sad: 

----------

## dolbz

 *DrkPlague wrote:*   

> in the security groups, we call this background radiation.  its when you start seeing multiple sweeps from the SAME IP that there is an issue.

 

I like the analogy of background radiation  :Smile:  very clever really. I'll remember that  :Smile: 

Dolbz

----------

## kleppari

Most people here are hackers, there's a big diffrence between a hacker and a cracker  :Wink: (Check the Jargon file)

But, that's probably some kind of a worm, nimda or something...

----------

## slartibartfasz

 *DrkPlague wrote:*   

> in the security groups, we call this background radiation.  its when you start seeing multiple sweeps from the SAME IP that there is an issue.

 

haha - 'background radiation' really good  :Very Happy: 

hmm - does one of u know portsentry - i dont use it anymore but watching the apache logs in a similar fashion would be interesting to sort the guys out that are a little bit too nosey - does someone know a tool like this - i have to admit that i'm too lazy to check manually or to write a script...

----------

## EvilN

 *slartibartfasz wrote:*   

>  *DrkPlague wrote:*   in the security groups, we call this background radiation.  its when you start seeing multiple sweeps from the SAME IP that there is an issue. 
> 
> haha - 'background radiation' really good 
> 
> hmm - does one of u know portsentry - i dont use it anymore but watching the apache logs in a similar fashion would be interesting to sort the guys out that are a little bit too nosey - does someone know a tool like this - i have to admit that i'm too lazy to check manually or to write a script...

 

Didn't port sentry just add the IP of the port scanner to hosts.deny?

THat would only lock out useers from services run from inetd and not daemons right?

----------

## DrkPlague

 *slartibartfasz wrote:*   

> 
> 
> hmm - does one of u know portsentry - i dont use it anymore but watching the apache logs in a similar fashion would be interesting to sort the guys out that are a little bit too nosey - does someone know a tool like this - i have to admit that i'm too lazy to check manually or to write a script...

 

Snort.  either find a good ruleset or merge a couple together to get a set that will alert you to heavy probing but ignore "lighter" passes.

----------

## Koon

 *jimlynch11 wrote:*   

> thats pretty much what is happening...iv had like 10 or so of the same attempts by 3 IPs

 

I got the same probes here (with the same URLs in the same order), everyone does. Noone will really try to hack you unless you respond positively to these automatic probes. And since you don't run an unpatched Windows setup you will not be noticed. 

But if you run unpatched Windows NT 4 with IIS you *will* automatically get infected, although noone really wanted to hack you and probably noone is still listening to the probes return anymore.

-K

----------

## Forse

This is better, get this script http://www.goldenrain.net/Downloads/anti_code_red.sh and run is with their ip as parameter. It will popup nasty messge and will create a noticable file on C:\ root   :Twisted Evil: 

----------

## slartibartfasz

 *EvilN wrote:*   

> Didn't port sentry just add the IP of the port scanner to hosts.deny?
> 
> THat would only lock out useers from services run from inetd and not daemons right?

 

right - thats why i dont use it anymore  :Very Happy:  - i'd like something similar in the way it dedected an attack - the response would be something different of course: mail, iptables, whatever...

[quote=DrkPlague]Snort. either find a good ruleset or merge a couple together to get a set that will alert you to heavy probing but ignore "lighter" passes.[/quote]

thx - good idea - i'll try that...

----------

## Zu`

 *slartibartfasz wrote:*   

> 
> 
> right - thats why i dont use it anymore  - i'd like something similar in the way it dedected an attack - the response would be something different of course: mail, iptables, whatever...

 

Here's a very efficient solution, however OpenBSD-specific:

http://www.benzedrine.cx/pf/msg01273.html

Unless you actually happen to run OpenBSD, this might perhaps serve as inspiration for some script you could possibly put together that works with iptables.

I don't know enough about iptables to know if this is possible though.

Hope this is helpful.

----------

## EvilN

Niiiiice, why didnt I think of that! Too simple!

Thanks for the tip.

And of course, I am running OpenBSD on all my firewalls.

----------

## wyvern

 *Quote:*   

> Unless you actually happen to run OpenBSD, this might perhaps serve as inspiration for some script you could possibly put together that works with iptables.
> 
> I don't know enough about iptables to know if this is possible though. 

 

It's definitely possible with iptables, as new rules can be added on the fly. I like this solution. 

 :Cool: 

----------

## uzik

 *Forse wrote:*   

> This is better, get this script http://www.goldenrain.net/Downloads/anti_code_red.sh and run is with their ip as parameter. It will popup nasty messge and will create a noticable file on C:\ root  

 

Good idea. I don't have lynx on my box (that's the text only web browser

right?), but since wget is standard for all gentoo's I might try to update

this to use wget.

----------

## slartibartfasz

 *Zu` wrote:*   

> Here's a very efficient solution, however OpenBSD-specific:
> 
> http://www.benzedrine.cx/pf/msg01273.html
> 
> 

 

this looks very nice  :Smile:  - does anyone know of a pf linux port? (dont have a dedicated firewall box)

----------

## uzik

I just finished up a shell script that works with iptables to ban badly

behaved robots that access the web site. (Those that ignore the robots.txt

file specifically).

It uses iptables, bash, and a lot of the basic text handling stuff from

the command line ( grep, cut, etc.). If you're interested email me

and I'll share it with you.  uzik @ reddawn.net

----------

## tgoodaire

I wrote a little perl script that checks my apache logs for references to cmd.exe and default.ida. It then sees if the ip address is in /etc/firewall/blocked, and adds it if it's not already there. Then it restarts my firewall which blocks all ips in /etc/firewall/blocked. Works for me.

Also, portsentry has an option to run a command when it encounters a problem (can't remember what the option was called, but it's in the config file). If you wanted, you could have it add an iptables rule to block ips, or email you the output of "tail -n 20 /var/log/syslog", or whatever.

----------

## uzik

LOL! I was just finishing up that script when I noticed your message.

I used wget to pop up a message on their box telling them it was

infected. I figure one message every half an hour should work  :Wink: 

----------

## slartibartfasz

 *uzik wrote:*   

> I figure one message every half an hour should work 

 

hehe - not if it is one of those freelance servers, where the admin takes a look at the machine every few weeks... the guy will have some fun getting rid of the notifications   :Twisted Evil: 

----------

## uzik

The source in shell script to implement a code red messager

and ill behaved robot/spider trap using iptables can be found at:

http://www.reddawn.net/~jsprenkl/badbot.tar.gz

Today I realize I really screwed up though. I should have

named the script that scans for codered differently.

It really should be called 'wormsign'   :Wink: 

----------

## Athlon_Jedi

not to mention the code red 2 worm seems to be freely bouncing about the internet lately, befor i decided to go to linux i ran a windows server 2003 box with a firewall that was reporting a code red 2 DoS attack from many ips  on a dailly basis so there are still a few people living under rocks as far as network security is concerned in the world. it would be nice if it were illegal for stupid people to touch technology but hey thats life lol

----------

## uzik

I've been averaging 8-10 unique IP's per day

----------

## cdunham

Anyone know what the legal ramifications are for exploiting a vulnerability to warn a system owner of an vulnerability that could be exploited?   :Razz: 

There's always this one, too (in apache.conf):

```
####

# Bounce back to hackers/worms/etc

RedirectMatch permanent ^(.*\.(exe|dll|ida).*)$ http://127.0.0.1$1

RedirectMatch permanent ^(.*/formmail\..*)$ http://127.0.0.1$1
```

----------

## uzik

To sue me they'd have to admit their system was infected. I would

then counter sue that they knowingly did this and caused damage

to my system and helped spread the worm. I can sue just as well

as they can.

----------

## cdunham

True, but only the lawyers win in that game...

----------

## slartibartfasz

 *cdunham wrote:*   

> Anyone know what the legal ramifications are for exploiting a vulnerability to warn a system owner of an vulnerability that could be exploited?  

 

i dont know from where u are - but at least in europe there are plans to ban this. they want to make it illeagal to use security flaws for whatever purpose - so even to tell someone that there exits a hole can be dangerous - guess what this will do   :Twisted Evil: 

i'm not a lawyer so i'm not really up to date on this - but it is definitly planned...

----------

## DrkPlague

it is all about ethics.  there was a large debate in my class about code-green and it's use.  for those who don't know, code green watches IIS logs for code-red attacks. when it finds one, it connects to that server and expoits the code-red hole to install itself.  it then patches the hole, kills code-red, and  leaves a txt on the desktop saying what it did.  It then starts watching again. 

It even had a self-destruct setup where if the sysadmin didn't kill it (using a handy .bat it made, all of which is mentioned in the txt) within 30 days, it would uninstall itself.

now where most geeks would say this is "good" technically it is still a worm.  it self-propogates and uses a vunerability to do so.  hence the moral delema.

----------

## getmoon

 *DrkPlague wrote:*   

> in the security groups, we call this background radiation.  its when you start seeing multiple sweeps from the SAME IP that there is an issue.

 

 hi , your profile's girl is so beauty . i love it . hoho

----------

## clumsyninja

 *DrkPlague wrote:*   

> it is all about ethics.  there was a large debate in my class about code-green and it's use.  for those who don't know, code green watches IIS logs for code-red attacks. when it finds one, it connects to that server and expoits the code-red hole to install itself.  it then patches the hole, kills code-red, and  leaves a txt on the desktop saying what it did.  It then starts watching again. 
> 
> It even had a self-destruct setup where if the sysadmin didn't kill it (using a handy .bat it made, all of which is mentioned in the txt) within 30 days, it would uninstall itself.
> 
> now where most geeks would say this is "good" technically it is still a worm.  it self-propogates and uses a vunerability to do so.  hence the moral delema.

 

INAL, but i believe that in the US, there is a good chance that the rights of the individual are going to be lost in favor of the rights of the few.  you can see this happening with the badly written DMCA, and in current 'baloons' being floated in Washington. the idea of someones computer being 'compromised' by anti-p2p technology by the entertainment industry would have been unheard of even 3-4 years ago during the napster hoopla.  but just last week (2 weeks ago???) a prominent senator introduced the idea that such technology would in-fact become law.  

there are other examples, of course...such as the extremely powerful direct-marketing lobby in Washington.  they are the reason why there has been talk of anti-spam laws...but only talk. it does not appear that a solid and effective anti-spam law will be passed anytime soon.  

Europe seems to be taking a much stronger position in favor of the individual than the current American administration.  the global effects of such disparate positions have yet to be seen, but IMHO there is already trouble with American companies doing business in Europe due to their strict data privacy laws (and our notoriously weak ones).

this is an extremely interesting topic and will definitely shape the future of computing all over the globe (yes, even countries outside Europe and the US will be effected).

just my $0.02

cn

----------

## uzik

 *clumsyninja wrote:*   

> 
> 
> <snip>
> 
> INAL, but i believe that in the US, there is a good chance that the rights of the individual are going to be lost in favor of the rights of the few.  you can see this happening with the badly written DMCA, and in current 'baloons' being floated in Washington.
> ...

 

You're right on I think. One can only hope it will be short lived.

I hope it's a self limiting thing. If they hurt enough of the little people

one day they'll hurt the wrong person, or too many of the wrong people,

and it will get 'fixed'. Along the way there will be a trail of blood and

tears though.

----------

## cdunham

And if you don't vote, you lose your right to bitch.

But if you're a Republican, don't worry about it. Go ahead and sit this one out, it's a shoo-in. No need to trouble yourself, really...   :Cool: 

P.S. Sorry to bore the non-Americans with our dirty laundry. And sorry about this Bush thing, we're working on cleaning up that mess...

----------

## Rhysem

So to revive an old topic after seeing a bunch of code reds flow through my weblogs, I'm pondering the redirect permenant + a modification of the url to popup a box on screen for them saying, "hey moron" like the script.

The beauty of this IMO is that since you never actually contact their host, or do anything to it, so it'd be a lot harder to pin any sort of hacking on you. Their box would read what you sent and do it to itself.

----------

## The Mountain Man

 *cdunham wrote:*   

> P.S. Sorry to bore the non-Americans with our dirty laundry. And sorry about this Bush thing, we're working on cleaning up that mess...

 

Yeah, he's sooo much worse than Clinton.   :Rolling Eyes: 

----------

## hbmartin

 *Rhysem wrote:*   

> So to revive an old topic after seeing a bunch of code reds flow through my weblogs, I'm pondering the redirect permenant + a modification of the url to popup a box on screen for them saying, "hey moron" like the script.
> 
> The beauty of this IMO is that since you never actually contact their host, or do anything to it, so it'd be a lot harder to pin any sort of hacking on you. Their box would read what you sent and do it to itself.

 

Let me know when yoiu get that working   :Twisted Evil: 

Harold

----------

## Rhysem

Hard to really tell if I get it working without a throwaway box I could infect.

I suppose there is always vmware's trial period... ;-)

----------

## To

I don't use any auto script for security. Usually I dig the logs and place any IP beeing droped on my iptables. But then again I don't have a huge amount of lots  :Smile: 

Tó

----------

