someone trying to hack my box?

jimlynch11 · Posted: Mon Jun 16, 2003 1:15 pm Post subject: someone trying to hack my box?

ok so it appears that someone is trying to hack my apache server, based on the logs. it also appears they are under the assumption that i have a NT based machine (suckers). here is a quick quote of what iv found:

EvilN · Posted: Mon Jun 16, 2003 1:23 pm Post subject:

Yes and no.

These seems to be worms form people who cant seem to realize the importance of keeping their machines up to date.

Their webservers are infected with worms that try to infect other machines.
Since you are running apache I think you are in the clear but it could be a good idea to check their site for security holes in you release of apache.
_________________
Juniper Networks Certified Internet Associate
JNCIA-M #0090

dolbz · Posted: Mon Jun 16, 2003 1:28 pm Post subject:

well. First off notice that these are all windows based commands. i.e. cmd.exe is to access the windows dos prompt and people who have misconfigured iis could have this available. Therefore for entries like this in your logs you've got nothing to worry about as they are windows exploits. And if they aren't even clever enough to check what server you're running by trying to get a error 404 (assuming you're server shows the standard apache error message) then they're not gonna be able to do much damage to be honest.

As for blocking their IP it might not be the best idea if it's dynamically assigned because soemone else will end up with it, although it wont harm anyone unless they want to view your site. I dont know IP tables but it can be configured to deny access for specific IP addresses as far as I know.

As for quick tips for securing your box. just disable any server options you dont need and if anyone ever does get in you'll learn from your mistake (if you made one) lol

Dolbz

paranode · l33t Joined: 06 Mar 2003 Posts: 679 Location: Texas

I get dozens of these a day. It's just something you have to put up with when you run a publicly-available web server. The Gentoo Linux Security Guide has some good pointers on how best to secure your machine in case it was somehow vulnerable to a new worm or exploit.
_________________
Meh.

DrkPlague · Tux's lil' helper Joined: 04 Jun 2003 Posts: 107

in the security groups, we call this background radiation. its when you start seeing multiple sweeps from the SAME IP that there is an issue.
_________________
DKP

There are 10 kinds of people in the world:
Those who understand binary and those who don't...

jimlynch11 · Posted: Mon Jun 16, 2003 3:50 pm Post subject:

uzik · Apprentice Joined: 17 Apr 2003 Posts: 257

Deathwing00 · Posted: Mon Jun 16, 2003 6:48 pm Post subject:

I also had lots of those kind of worm attacks everyday... it seems the ones that have the infected servers have knowledge of it and still do nothing. Perhaps they are VIRII and want to use this type of methods in order to propagate worms... :cry:

dolbz · Posted: Mon Jun 16, 2003 8:41 pm Post subject:

kleppari · Posted: Tue Jun 17, 2003 1:48 am Post subject:

Most people here are hackers, there's a big diffrence between a hacker and a cracker

(Check the Jargon file)
But, that's probably some kind of a worm, nimda or something...
_________________
Regards, kleppari.

The way humans perceive beauty is intimately related to our ability to process and understand complexity.

slartibartfasz · Posted: Tue Jun 17, 2003 5:46 am Post subject:

EvilN · Posted: Tue Jun 17, 2003 6:55 am Post subject:

DrkPlague · Tux's lil' helper Joined: 04 Jun 2003 Posts: 107

Koon · Retired Dev Joined: 10 Dec 2002 Posts: 518

Forse · Posted: Tue Jun 17, 2003 1:51 pm Post subject:

This is better, get this script http://www.goldenrain.net/Downloads/anti_code_red.sh and run is with their ip as parameter. It will popup nasty messge and will create a noticable file on C:\ root :twisted:

_________________
[ My sites ]: UnixTutorials : AniFIND : AnimeYume

slartibartfasz · Posted: Tue Jun 17, 2003 2:07 pm Post subject:

Zu` · l33t Joined: 26 May 2002 Posts: 716 Location: BE

EvilN · Posted: Tue Jun 17, 2003 5:32 pm Post subject:

Niiiiice, why didnt I think of that! Too simple!
Thanks for the tip.
And of course, I am running OpenBSD on all my firewalls.
_________________
Juniper Networks Certified Internet Associate
JNCIA-M #0090

wyvern · Posted: Tue Jun 17, 2003 10:01 pm Post subject:

uzik · Apprentice Joined: 17 Apr 2003 Posts: 257

slartibartfasz · Posted: Wed Jun 18, 2003 3:49 am Post subject:

uzik · Apprentice Joined: 17 Apr 2003 Posts: 257

I just finished up a shell script that works with iptables to ban badly
behaved robots that access the web site. (Those that ignore the robots.txt
file specifically).

It uses iptables, bash, and a lot of the basic text handling stuff from
the command line ( grep, cut, etc.). If you're interested email me
and I'll share it with you. uzik @ reddawn.net

tgoodaire · Posted: Mon Jun 23, 2003 3:55 pm Post subject:

I wrote a little perl script that checks my apache logs for references to cmd.exe and default.ida. It then sees if the ip address is in /etc/firewall/blocked, and adds it if it's not already there. Then it restarts my firewall which blocks all ips in /etc/firewall/blocked. Works for me.

Also, portsentry has an option to run a command when it encounters a problem (can't remember what the option was called, but it's in the config file). If you wanted, you could have it add an iptables rule to block ips, or email you the output of "tail -n 20 /var/log/syslog", or whatever.
_________________
I bent my wookie.

uzik · Apprentice Joined: 17 Apr 2003 Posts: 257

LOL! I was just finishing up that script when I noticed your message.
I used wget to pop up a message on their box telling them it was
infected. I figure one message every half an hour should work

slartibartfasz · Posted: Tue Jun 24, 2003 5:15 am Post subject: