LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-08-2013, 11:31 PM   #1
newbie14
Member
 
Registered: Sep 2011
Posts: 418

Rep: Reputation: Disabled
Possible successful probes detected


Dear All,
Part of my logwatch log is as below. What worries me is this A total of 13 possible successful probes were detected? What should I do to prevent this sort of probes?

Code:
 Attempts to use known hacks by 2 hosts were logged 498 time(s) from:
    69.194.131.74: 492 Time(s)
       /\.\./\.\./\.\./ 38 Time(s) 
       \/c\+dir 184 Time(s) 
       cmd\.exe 240 Time(s) 
       shtml\.exe 4 Time(s) 
       \.htpasswd 2 Time(s) 
       boot\.ini 4 Time(s) 
       \.\./\.\./config\.sys 2 Time(s) 
       passwd$ 18 Time(s) 
    116.38.79.249: 6 Time(s)
       /\.\./\.\./\.\./ 2 Time(s) 
       passwd$ 2 Time(s) 
       boot\.ini 2 Time(s) 
 
 Connection attempts using mod_proxy:
    116.38.79.249 -> www.fbi.gov:80: 1 Time(s)
 
 A total of 2 sites probed the server 
    116.38.79.249
    69.194.131.74
 
 A total of 13 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
 
    /_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200 
    /_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /cgi-bin/..?..?..?../winnt/system32/cmd.exe HTTP Response 200 
    /_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200 
    /scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /scripts/..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200 
    /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /scripts/..?../winnt/system32/cmd.exe HTTP Response 200 
    /scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200 
    /msadc/..?..?..?../winnt/system32/cmd.exe HTTP Response 200 
    /scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200
Just to add I have tried myself those links and it returns a blank page.

Last edited by newbie14; 04-08-2013 at 11:34 PM.
 
Old 04-09-2013, 02:41 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
If it doesn't return an error (I'd prefer using a CLI tool like cURL for the details it shows) then it may have some redirect or rewrite configured. BTW the mod_proxy line may indicate you're running Apache with all default modules enabled. Please review your configuration and only load what's absolutely necessary.
 
Old 04-09-2013, 05:13 AM   #3
newbie14
Member
 
Registered: Sep 2011
Posts: 418

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
I have google and found this link for the curl http://www.thegeekstuff.com/2012/04/curl-examples/. So which commands do you recommend in order to diagnose this problem? For the mod_proxy what do you recommend to be shut off in the Apache for security purpose should I send you an email on this? with Apache conf file?
 
Old 04-09-2013, 05:25 AM   #4
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 870
Blog Entries: 2

Rep: Reputation: 219Reputation: 219Reputation: 219
The 13 lines described as successful all contain "/winnt/". Look for these in your logs so you can see what logwatch is looking at and form your own view on whether it was successful.

My preferred configuration for webservers is that they are firewalled so they cannot originate outbound traffic but only do the return half of HTTP(S) and SSH connections. With that in force your server wouldn't be scanning www.fbi.gov whatever your httpd.conf said.
 
Old 04-09-2013, 05:44 AM   #5
newbie14
Member
 
Registered: Sep 2011
Posts: 418

Original Poster
Rep: Reputation: Disabled
Dear Lino,
Yes I tried with my page htpp://myip//_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c: it just give me an empty page that is my index.php. Yes the server is firewall and only port 80 is port to this server for web communication. I am not clear on this "With that in force your server wouldn't be scanning www.fbi.gov whatever your httpd.conf said."? What should I be doing my server is centos.
 
Old 04-09-2013, 04:07 PM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Both sets of these entries look like attempts to probe your web server for exploits. Most of them look like they are probes for a Windows server running IIS, as indicated by the .exe, config.sys c:\, etc.

The latter ones look like exploit attempts to escape the directory tree and gain a shell, the cmd.exe, with the directory c:\. As far as the response goes for the latter ones giving you the plain index, html, that is exactly what my system does too in response to one of these redirect attempts. For example, I used the last one on the list, testing it with cURL (curl <my.domain>/msadc/..) and I received the index.html, indicative of the response code 200, and received the following line in my access log.

Code:
[09/Apr/2013:16:01:53 -0400] "GET /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.1" 200 4463 "-" "curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15"
 
Old 04-10-2013, 10:28 AM   #7
newbie14
Member
 
Registered: Sep 2011
Posts: 418

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
Actually I purposely change the index page which describes about server to an empty page to hide whatever possible. So what should I do to improvise further. Regarding the mod_proxy what is your suggestion there? Thank you.
 
Old 04-10-2013, 02:34 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Quote:
Originally Posted by newbie14 View Post
which commands do you recommend in order to diagnose this problem?
This and which modules to load is probably easier to answer by you 0) attaching your httpd.conf and any configuration files in conf.d that don't have only commented out lines and telling us 1) what you exactly run in your web stack.

*Also please note that, like the others conveyed, these are automated tests against an OS you don't use. So it's not really a problem and if you can live with a 200 response code, fine.
 
Old 04-12-2013, 08:50 AM   #9
newbie14
Member
 
Registered: Sep 2011
Posts: 418

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,

The httpd.conf is quite long. I have also install mod_security Should I post it here or should I email it over? The server purely just run .php codes that about it nothing else is running except for some other services running based on other language but not web based stuff.
 
Old 04-12-2013, 06:57 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Quote:
Originally Posted by newbie14 View Post
The httpd.conf is quite long. I have also install mod_security Should I post it here or should I email it over?
No, please don't email but attach it to your reply here.


Quote:
Originally Posted by newbie14 View Post
The server purely just run .php codes that about it nothing else is running except for some other services running based on other language but not web based stuff.
OK.
 
Old 04-12-2013, 10:16 PM   #11
newbie14
Member
 
Registered: Sep 2011
Posts: 418

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
I have attached the httpd.conf file. Please review thank you.
Attached Files
File Type: txt httpd.txt (33.6 KB, 11 views)
 
Old 04-13-2013, 03:09 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
You run Apache with a stock configuration. I suggest you start with (making a backup and then) the includes sections at the bottom of httpd.conf and work your way up: disable negotiation, set default language to English, disable WebDAV, turn ServerSignature off, and check the directory in the Include statement for any active configuration files as you didn't attach any /etc/httpd/conf.d/ contents. IIRC for your purpose you won't need some of the "advanced" auth* modules as well as *dav*, usertrack, speling, substitute and related and the proxy* modules. Disable them. Then restart Apache and follow any warnings it throws. Look at http://httpd.apache.org/docs/2.2/mod/ what the module in question does and then decide if you need it or not. If unsure post the actual errors plus what you learned about the module in question.

*IIRC, and unless things changed since we last helped you secure your machines, access to your web server should have already been limited by the host firewall and the hardware firewall the hosts are behind.
 
Old 04-15-2013, 03:19 PM   #13
newbie14
Member
 
Registered: Sep 2011
Posts: 418

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
I have attached the changes you suggested to my httpd.conf and attached in here. I have also attached the files in conf.d (mod_security.conf and php.conf). I only attached 2 as the rest are the README and welcome.conf which I did not upload. Yes my machine is behind a firewall and all the access to it is via vpn tunnel but I had trouble setting up key authorization but its working now.
Attached Files
File Type: txt mod_security.conf.txt (2.2 KB, 11 views)
File Type: txt php.conf.txt (674 Bytes, 9 views)
File Type: txt httpd.txt (33.6 KB, 10 views)
 
Old 04-15-2013, 05:56 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Configs look OK to me.
 
Old 04-15-2013, 10:48 PM   #15
newbie14
Member
 
Registered: Sep 2011
Posts: 418

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
What is your comments on the mod_security should I do some additional configuration on it? I am very new to it need some tips?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Logwatch : A total of 1 possible successful probes were detected Metux Linux - Security 2 11-08-2012 08:26 AM
HP printer successful driver install but no printer detected dwhb Linux - Hardware 14 11-01-2012 12:40 PM
Apache exploit? Logwatch: A total of 2 possible successful probes were detected deathsfriend99 Linux - Security 1 10-24-2011 04:16 PM
LogWatch: "possible successful probes"? Quip11 Linux - Security 1 07-20-2009 05:39 PM
What's this in LogWatch: "!!!! 1 possible successful probes" ? bomix Linux - Security 1 07-29-2005 11:23 PM


All times are GMT -5. The time now is 05:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration