| View previous topic :: View next topic |
| Author |
Message |
JoeW71
n00b
Joined: 07 May 2003
Posts: 27
Location: Umea, Sweden
|
 Posted: Thu Oct 09, 2003 8:10 am Post subject: Am I beeing hacked ?? |
 |
|
Looking trough the Apache2 access log I find several lines wich to me sounds like someone are mistaking my server for a Windows machine..  and are either trying to execute code or get access to confidential system info... Are there any other opinions ?
I have cut out the IPs and the exact dates for readability:
| Code: |
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 360 "-" $
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 360 "-" "-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-$
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-" "-"
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 346 "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 356 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 356 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTT$
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTT$
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt$
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 360 "-" $
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 360 "-" "-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-$
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-" "-"
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 346 "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 356 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 356 "-" "-"
|
There are several lines of this at several different occasions, should I be worried ??
Regards
_________________
I once met the guys in Anthrax, backstage after a gig in Stockholm. I didn't ask for autographs though..... |
|
| Back to top |
|
 |
nasher
Tux's lil' helper
Joined: 21 Feb 2003
Posts: 125
|
|
| Back to top |
|
|
kronon
Apprentice
Joined: 11 Aug 2003
Posts: 212
Location: NL
|
| Posted: Thu Oct 09, 2003 9:41 am Post subject: |
|
|
| I get this constantly in my apache logs 2. But so far no one has gotten in. Most scripts think you are using windows any way. |
|
| Back to top |
|
|
jaska
Bodhisattva
Joined: 06 Jun 2003
Posts: 725
Location: Finland
|
| Posted: Thu Oct 09, 2003 4:29 pm Post subject: |
|
|
| I wouldn't be too worried, they are exe files, they dont run in unix environments, atleast not without wine. |
|
| Back to top |
|
|
ponds
n00b
Joined: 06 Oct 2003
Posts: 69
Location: MSU, Starkville, MS
|
| Posted: Thu Oct 09, 2003 6:45 pm Post subject: |
|
|
it looks like someone is scanning all of your IP block on port 80 testing vs a database of known IIS exploits ( directory transversal attacks ).
You don't really have anything to worry about, just make sure you patch apache ( and all your other servers ) when a vuln hits, because they might one day decide to scan for apache  . |
|
| Back to top |
|
|
professorn
Apprentice
Joined: 18 Sep 2003
Posts: 235
Location: Stockholm, Sweden
|
| Posted: Thu Oct 09, 2003 8:32 pm Post subject: |
|
|
| Wasn't this one of IIS unicodebugs which made it possible for a attacker to use cmd to diffrent things ? |
|
| Back to top |
|
|
M104
Tux's lil' helper
Joined: 13 Jan 2003
Posts: 132
Location: Riverside, CA
|
| Posted: Thu Oct 09, 2003 10:09 pm Post subject: |
|
|
It's good for you to check your log files like this!  Fortunately, these "attacks" are all for Windows based servers. You are also going to see "GET whatever.com HTTP/1.0" requests too and those are scr1pt k1ddi3s looking for an open proxy server. You may also see "OPTIONS / HTTP/1.1" and "SEARCH / HTTP/1.1" requests as well. Basically, these are coming from scripts that crackers use to look for weak web servers. As mentioned above, keep your stuff up to date and you don't have to worry.
I've got a couple of hosts (144.137.67.249 comes to mind) that keep sending my server this crap, even though it's clearly not working. 
_________________
"Pulling together is the aim of despotism and tyranny. Free men pull in all kinds of directions."
Terry Pratchett, The Truth |
|
| Back to top |
|
|
JoeW71
n00b
Joined: 07 May 2003
Posts: 27
Location: Umea, Sweden
|
| Posted: Mon Oct 13, 2003 8:51 am Post subject: |
|
|
Thanks guys for all the answers, it is always nice to visit these forums when I have a problem. So many people wanting to help, I've almost given up on Googling  since I installed Gentoo, no matter what's the problem, when I search the forums I find that someone has ideas or tips to fix it.
Once again, thank you
_________________
I once met the guys in Anthrax, backstage after a gig in Stockholm. I didn't ask for autographs though..... |
|
| Back to top |
|
|
aroedl
n00b
Joined: 14 Oct 2003
Posts: 7
Location: Berlin
|
| Posted: Tue Oct 14, 2003 10:59 pm Post subject: |
|
|
Hello!
If you wanna know if you were hacked:
emerge chkrootkit
chkrootkit
Andi |
|
| Back to top |
|
|
jief
Tux's lil' helper
Joined: 29 Jan 2003
Posts: 95
Location: Montreal, Canada
|
| Posted: Wed Oct 15, 2003 1:29 am Post subject: |
|
|
| that reminds me of the first time i checked my apache logs. I didnt know back then was robots.txt was. I got scared shitless, took my webserver offline. Until my friend told me this file is used by crawlers and spiders to get data about your site. I then checked the IPs, most were on the IP-range of google, yahoo, etc. |
|
| Back to top |
|
|
GentooBox
Veteran
Joined: 22 Jun 2003
Posts: 1168
Location: Denmark
|
| Posted: Wed Oct 15, 2003 8:31 am Post subject: |
|
|
A few vira check if it can get cmd.exe (windows commandprompt) from a IIS and/or apache server.
Nimda is a virus that checks for cmd.exe. - i think.
_________________
Encrypt, lock up everything and duct tape the rest |
|
| Back to top |
|
|
dvc5
Guru
Joined: 06 Dec 2003
Posts: 433
Location: Sunnyvale, California
|
| Posted: Mon Mar 01, 2004 4:19 am Post subject: |
|
|
Just a simple tool I use for dropping packets from these infected IP's.
| Code: | emerge iptables
rc-update add iptables default
/etc/init.d/iptables start
iptables -I INPUT -s <insert IP here> -j DROP
iptables-save
/etc/init.d/iptables restart
|
You can repeat the last 3 commands with each IP you want to add to your iptables "DROP" list. To view the list:
or
to resolve the addresses.
_________________
#define NULL rand() /*heh heh heh */
Green Is Good |
|
| Back to top |
|
|
dreamer
Apprentice
Joined: 16 Aug 2003
Posts: 236
|
| Posted: Mon Mar 01, 2004 9:59 am Post subject: |
|
|
i wrote a little script to block those infected ip's.
Just run it every once in a while and you'll feel beter 
| Code: | #flush CHAIN_BLOCK
iptables -F CHAIN_BLOCK
grep error /var/log/apache2/error_log | cut -d' ' -f8 | cut -d] -f1 >> temp
grep script /var/log/apache2/access_log | cut -d' ' -f1 >> temp
grep exe /var/log/apache2/access_log | cut -d' ' -f1 >> temp
grep dll /var/log/apache2/access_log | cut -d' ' -f1 >> temp
grep exe /var/log/apache2/ssl_access_log | cut -d' ' -f1 >> temp
script_contents=( $(cat temp | sort | uniq) )
#remove temp file
rm -rf temp
for element in $(seq 0 $((${#script_contents[@]} - 1)))
do
if [[ ${script_contents[$element]} != 192.168.0* ]]
then
iptables -A CHAIN_BLOCK -s "${script_contents[$element]}" -j DROP
fi
done
|
As you can see, i dedicated a special chain for this, CHAIN_BLOCK. Just put this rule on the first place in your INPUT. | Code: | -A INPUT -j CHAIN_BLOCK
|
|
|
| Back to top |
|
|
dvc5
Guru
Joined: 06 Dec 2003
Posts: 433
Location: Sunnyvale, California
|
| Posted: Mon Mar 01, 2004 6:49 pm Post subject: |
|
|
Nice script, I'm gonna try that...
_________________
#define NULL rand() /*heh heh heh */
Green Is Good |
|
| Back to top |
|
|
dreamer
Apprentice
Joined: 16 Aug 2003
Posts: 236
|
| Posted: Mon Mar 01, 2004 7:38 pm Post subject: |
|
|
| lozdvc5 wrote: | | Nice script, I'm gonna try that... |
it's still very basic. Actually i want to rewrite it to ADD ip's ( instead of flushing the chain and adding everything again ).
It should be something like this.
Every time there is a new infected ip to add, it'll add this ip and send a mail to a specified user. This way it'll be more suiteable for a cronjob.
So, stay tuned...  |
|
| Back to top |
|
|
zeky
Guru
Joined: 24 Feb 2003
Posts: 470
Location: Vukojebina, Europe
|
| Posted: Tue Mar 02, 2004 5:42 am Post subject: |
|
|
very nice script...
_________________
Beat your dick like it owes you money |
|
| Back to top |
|
|
zeek
Guru
Joined: 16 Nov 2002
Posts: 480
Location: Bantayan Island
|
| Posted: Tue Mar 02, 2004 6:14 am Post subject: Re: Am I beeing hacked ?? |
|
|
| JoeW71 wrote: |
| Code: |
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
|
|
Looks like a CodeRed derivative -- a worm, not hackers. |
|
| Back to top |
|
|
Oid
n00b
Joined: 23 Feb 2004
Posts: 42
|
| Posted: Tue Mar 02, 2004 12:07 pm Post subject: |
|
|
To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line. You know... to hel them fix it 
_________________
Join the adopt an unanswered post initiative today |
|
| Back to top |
|
|
dreamer
Apprentice
Joined: 16 Aug 2003
Posts: 236
|
| Posted: Tue Mar 02, 2004 1:06 pm Post subject: |
|
|
| Oid wrote: | | To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line. You know... to hel them fix it |
Well, there is a possibility..
They're trying to Get a file ( cmd.exe, root.exe or whatever ). Why not create a 50 MB file and call it cmd.exe ? If everybody did that, those sweeps would be over very soon
otoh, your own upload would we wasted, so this isn't a very good option |
|
| Back to top |
|
|
rewt
n00b
Joined: 19 Feb 2004
Posts: 58
|
| Posted: Tue Mar 02, 2004 1:56 pm Post subject: |
|
|
| dreamer wrote: | | Oid wrote: | | To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line. You know... to hel them fix it |
Well, there is a possibility..
They're trying to Get a file ( cmd.exe, root.exe or whatever ). Why not create a 50 MB file and call it cmd.exe ? If everybody did that, those sweeps would be over very soon
otoh, your own upload would we wasted, so this isn't a very good option |
However, if you combined it with bandwidth throttling so that they were able to get the 50Mb at a VERY slow rate, say 500bytes per second, that would have minimal impact on you while slowing them to a crawl (maybe make sure to only reply one of their get requests aswell so they can't max your bandwidth out that way  )
_________________
Because sometimes peace is another word for surrender... and secrets have a way of getting out |
|
| Back to top |
|
|
Oid
n00b
Joined: 23 Feb 2004
Posts: 42
|
|
| Back to top |
|
|
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
| Posted: Tue Mar 02, 2004 3:59 pm Post subject: |
|
|
Now it's getting funny
How can I enable bandwith throttling for this? |
|
| Back to top |
|
|
Dr_Stein
Guru
Joined: 21 Mar 2003
Posts: 303
Location: Mountain View, CA
|
| Posted: Tue Mar 02, 2004 5:37 pm Post subject: heh |
|
|
| Oid wrote: | | To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line. You know... to hel them fix it |
Dude, that was so far beyond the limits of good taste. Heh. Right on. |
|
| Back to top |
|
|
dreamer
Apprentice
Joined: 16 Aug 2003
Posts: 236
|
| Posted: Tue Mar 02, 2004 6:34 pm Post subject: |
|
|
As promised..
I just finished it, so maybe it's full of bugs, file-erasing tricks and so on...
Every time you run this script it'll compare the new results with the old ( .blocklist ). If it finds new infected ip's it'll add them to the firewall and send a email to the specified user.
To use the mailfunction you need /usr/sbin/sendmail, which goes with postfix ( i think ). If you don't have this, just leave the email variable empty.
Hope you enjoy it
| Code: | #!/bin/bash
#written by dreamer 02-03-2004
#quick'n dirty script to filter infected ipadresses from apache logs and
#block them with help of iptables.
#If manager is a valid emailadres ( or local user ) an email is send to
#this user every time a new ipadress is added to the firewall.
#This makes it ideal for a daily cronjob or so...
#enjoy! :-)
#
#global settings
#where email is send.. ( leave empty if you don't want any mail )
manager=
#temp dir
temp_dir=/var/tmp
#iptables Chain to append the rule to
chain=INPUT
#action to take after a rule matches
action=DROP
#some pre-running stuff
if [ ! -f .blocklist ]
then
touch .blocklist
fi
#compile a list of infected ip's
#this wil get most of the shit, i'm not sure if it wil catch ALL....
grep error /var/log/apache2/error_log | cut -d' ' -f8 | cut -d] -f1 >> $temp_dir/blocklist_chaos.tmp
grep script /var/log/apache2/access_log | cut -d' ' -f1 >> $temp_dir/blocklist_chaos.tmp
grep exe /var/log/apache2/access_log | cut -d' ' -f1 >> $temp_dir/blocklist_chaos.tmp
grep dll /var/log/apache2/access_log | cut -d' ' -f1 >> $temp_dir/blocklist_chaos.tmp
grep exe /var/log/apache2/ssl_access_log | cut -d' ' -f1 >> $temp_dir/blocklist_chaos.tmp
#sort these ip's and remove duplicates, afterwards remove blocklist_chaos.tmp
cat $temp_dir/blocklist_chaos.tmp | sort | uniq > $temp_dir/blocklist.tmp
rm $temp_dir/blocklist_chaos.tmp
#see if there are any new ip's since last run
new_ip=( $(diff .blocklist $temp_dir/blocklist.tmp | grep '>' | cut -d' ' -f2) )
#remove LAN ip's (192.168.0.0/24 ) from the blocklist.
#Comment if you don't trust your own LAN ;-)
new_ip=( $(echo ${new_ip[@]##192.168.0.*}) )
#if there is at least one new infected ip....
if (( $((${#new_ip[@]})) > 0 ))
then
#make tempfile the new permanent blocklist
mv $temp_dir/blocklist.tmp .blocklist
# add new ip's with iptables
for element in $(seq 0 $((${#new_ip[@]} - 1)))
do
/sbin/iptables -A $chain -s "${new_ip[$element]}" -j $action
#for proper display in mail
new_ip[$element]=$(echo ${new_ip[$element]}"\n")
done
#mail new ip's to manager
if [[ $manager != "" ]]
then
echo -e "At" $(date +%A' '%d' '%b' '%T) "those infected ip's where added to the firewall:\n "${new_ip[@]} \
| /usr/sbin/sendmail -F CHAIN_BLOK $manager
fi
else
rm $temp_dir/blocklist.tmp
fi
|
|
|
| Back to top |
|
|
dvc5
Guru
Joined: 06 Dec 2003
Posts: 433
Location: Sunnyvale, California
|
| Posted: Tue Mar 02, 2004 6:46 pm Post subject: |
|
|
| dreamer wrote: | | lozdvc5 wrote: | | Nice script, I'm gonna try that... |
it's still very basic. Actually i want to rewrite it to ADD ip's ( instead of flushing the chain and adding everything again ).
It should be something like this.
Every time there is a new infected ip to add, it'll add this ip and send a mail to a specified user. This way it'll be more suiteable for a cronjob.
So, stay tuned... |
Maybe instead of simply "grep error /var/log/apache2/error_log..." when you're creating the array, how about doing the following for example:
| Code: | | logtail /var/log/apache2/error_log | grep error | cut -d' ' -f8 | cut -d] -f1 >> temp |
I'm just not sure how using logtail here might affect other cronjobs like logcheck.sh that use logtail to incrementally check the same logs.
_________________
#define NULL rand() /*heh heh heh */
Green Is Good |
|
| Back to top |
|
|
|
Networking & Security
