Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Dear All,
Part of my logwatch log is as below. What worries me is this A total of 13 possible successful probes were detected? What should I do to prevent this sort of probes?
Code:
Attempts to use known hacks by 2 hosts were logged 498 time(s) from:
69.194.131.74: 492 Time(s)
/\.\./\.\./\.\./ 38 Time(s)
\/c\+dir 184 Time(s)
cmd\.exe 240 Time(s)
shtml\.exe 4 Time(s)
\.htpasswd 2 Time(s)
boot\.ini 4 Time(s)
\.\./\.\./config\.sys 2 Time(s)
passwd$ 18 Time(s)
116.38.79.249: 6 Time(s)
/\.\./\.\./\.\./ 2 Time(s)
passwd$ 2 Time(s)
boot\.ini 2 Time(s)
Connection attempts using mod_proxy:
116.38.79.249 -> www.fbi.gov:80: 1 Time(s)
A total of 2 sites probed the server
116.38.79.249
69.194.131.74
A total of 13 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200
/_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200
/cgi-bin/..?..?..?../winnt/system32/cmd.exe HTTP Response 200
/_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200
/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200
/scripts/..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200
/msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200
/scripts/..?../winnt/system32/cmd.exe HTTP Response 200
/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200
/msadc/..?..?..?../winnt/system32/cmd.exe HTTP Response 200
/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200
/_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200
/msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200
Just to add I have tried myself those links and it returns a blank page.
If it doesn't return an error (I'd prefer using a CLI tool like cURL for the details it shows) then it may have some redirect or rewrite configured. BTW the mod_proxy line may indicate you're running Apache with all default modules enabled. Please review your configuration and only load what's absolutely necessary.
Dear Unspawn,
I have google and found this link for the curl http://www.thegeekstuff.com/2012/04/curl-examples/. So which commands do you recommend in order to diagnose this problem? For the mod_proxy what do you recommend to be shut off in the Apache for security purpose should I send you an email on this? with Apache conf file?
The 13 lines described as successful all contain "/winnt/". Look for these in your logs so you can see what logwatch is looking at and form your own view on whether it was successful.
My preferred configuration for webservers is that they are firewalled so they cannot originate outbound traffic but only do the return half of HTTP(S) and SSH connections. With that in force your server wouldn't be scanning www.fbi.gov whatever your httpd.conf said.
Dear Lino,
Yes I tried with my page htpp://myip//_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c: it just give me an empty page that is my index.php. Yes the server is firewall and only port 80 is port to this server for web communication. I am not clear on this "With that in force your server wouldn't be scanning www.fbi.gov whatever your httpd.conf said."? What should I be doing my server is centos.
Both sets of these entries look like attempts to probe your web server for exploits. Most of them look like they are probes for a Windows server running IIS, as indicated by the .exe, config.sys c:\, etc.
The latter ones look like exploit attempts to escape the directory tree and gain a shell, the cmd.exe, with the directory c:\. As far as the response goes for the latter ones giving you the plain index, html, that is exactly what my system does too in response to one of these redirect attempts. For example, I used the last one on the list, testing it with cURL (curl <my.domain>/msadc/..) and I received the index.html, indicative of the response code 200, and received the following line in my access log.
Dear Unspawn,
Actually I purposely change the index page which describes about server to an empty page to hide whatever possible. So what should I do to improvise further. Regarding the mod_proxy what is your suggestion there? Thank you.
which commands do you recommend in order to diagnose this problem?
This and which modules to load is probably easier to answer by you 0) attaching your httpd.conf and any configuration files in conf.d that don't have only commented out lines and telling us 1) what you exactly run in your web stack.
*Also please note that, like the others conveyed, these are automated tests against an OS you don't use. So it's not really a problem and if you can live with a 200 response code, fine.
The httpd.conf is quite long. I have also install mod_security Should I post it here or should I email it over? The server purely just run .php codes that about it nothing else is running except for some other services running based on other language but not web based stuff.
The httpd.conf is quite long. I have also install mod_security Should I post it here or should I email it over?
No, please don't email but attach it to your reply here.
Quote:
Originally Posted by newbie14
The server purely just run .php codes that about it nothing else is running except for some other services running based on other language but not web based stuff.
You run Apache with a stock configuration. I suggest you start with (making a backup and then) the includes sections at the bottom of httpd.conf and work your way up: disable negotiation, set default language to English, disable WebDAV, turn ServerSignature off, and check the directory in the Include statement for any active configuration files as you didn't attach any /etc/httpd/conf.d/ contents. IIRC for your purpose you won't need some of the "advanced" auth* modules as well as *dav*, usertrack, speling, substitute and related and the proxy* modules. Disable them. Then restart Apache and follow any warnings it throws. Look at http://httpd.apache.org/docs/2.2/mod/ what the module in question does and then decide if you need it or not. If unsure post the actual errors plus what you learned about the module in question.
*IIRC, and unless things changed since we last helped you secure your machines, access to your web server should have already been limited by the host firewall and the hardware firewall the hosts are behind.
Dear Unspawn,
I have attached the changes you suggested to my httpd.conf and attached in here. I have also attached the files in conf.d (mod_security.conf and php.conf). I only attached 2 as the rest are the README and welcome.conf which I did not upload. Yes my machine is behind a firewall and all the access to it is via vpn tunnel but I had trouble setting up key authorization but its working now.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.