Possible successful probes detected

newbie14 · 04-08-2013, 10:31 PM

Dear All,
Part of my logwatch log is as below. What worries me is this A total of 13 possible successful probes were detected? What should I do to prevent this sort of probes?

Code:

 Attempts to use known hacks by 2 hosts were logged 498 time(s) from:
    69.194.131.74: 492 Time(s)
       /\.\./\.\./\.\./ 38 Time(s) 
       \/c\+dir 184 Time(s) 
       cmd\.exe 240 Time(s) 
       shtml\.exe 4 Time(s) 
       \.htpasswd 2 Time(s) 
       boot\.ini 4 Time(s) 
       \.\./\.\./config\.sys 2 Time(s) 
       passwd$ 18 Time(s) 
    116.38.79.249: 6 Time(s)
       /\.\./\.\./\.\./ 2 Time(s) 
       passwd$ 2 Time(s) 
       boot\.ini 2 Time(s) 
 
 Connection attempts using mod_proxy:
    116.38.79.249 -> www.fbi.gov:80: 1 Time(s)
 
 A total of 2 sites probed the server 
    116.38.79.249
    69.194.131.74
 
 A total of 13 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
 
    /_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200 
    /_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /cgi-bin/..?..?..?../winnt/system32/cmd.exe HTTP Response 200 
    /_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200 
    /scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /scripts/..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200 
    /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /scripts/..?../winnt/system32/cmd.exe HTTP Response 200 
    /scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200 
    /msadc/..?..?..?../winnt/system32/cmd.exe HTTP Response 200 
    /scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 200 
    /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP Response 200

Just to add I have tried myself those links and it returns a blank page.

unSpawn · 04-09-2013, 01:41 AM

If it doesn't return an error (I'd prefer using a CLI tool like cURL for the details it shows) then it may have some redirect or rewrite configured. BTW the mod_proxy line may indicate you're running Apache with all default modules enabled. Please review your configuration and only load what's absolutely necessary.

newbie14 · 04-09-2013, 04:13 AM

Dear Unspawn,
I have google and found this link for the curl http://www.thegeekstuff.com/2012/04/curl-examples/. So which commands do you recommend in order to diagnose this problem? For the mod_proxy what do you recommend to be shut off in the Apache for security purpose should I send you an email on this? with Apache conf file?

linosaurusroot · 04-09-2013, 04:25 AM

The 13 lines described as successful all contain "/winnt/". Look for these in your logs so you can see what logwatch is looking at and form your own view on whether it was successful.

My preferred configuration for webservers is that they are firewalled so they cannot originate outbound traffic but only do the return half of HTTP(S) and SSH connections. With that in force your server wouldn't be scanning www.fbi.gov whatever your httpd.conf said.

newbie14 · 04-09-2013, 04:44 AM

Dear Lino,
Yes I tried with my page htpp://myip//_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c: it just give me an empty page that is my index.php. Yes the server is firewall and only port 80 is port to this server for web communication. I am not clear on this "With that in force your server wouldn't be scanning www.fbi.gov whatever your httpd.conf said."? What should I be doing my server is centos.

Noway2 · 04-09-2013, 03:07 PM

Both sets of these entries look like attempts to probe your web server for exploits. Most of them look like they are probes for a Windows server running IIS, as indicated by the .exe, config.sys c:\, etc.

The latter ones look like exploit attempts to escape the directory tree and gain a shell, the cmd.exe, with the directory c:\. As far as the response goes for the latter ones giving you the plain index, html, that is exactly what my system does too in response to one of these redirect attempts. For example, I used the last one on the list, testing it with cURL (curl <my.domain>/msadc/..) and I received the index.html, indicative of the response code 200, and received the following line in my access log.

Code:

[09/Apr/2013:16:01:53 -0400] "GET /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.1" 200 4463 "-" "curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15"

newbie14 · 04-10-2013, 09:28 AM

Dear Unspawn,
Actually I purposely change the index page which describes about server to an empty page to hide whatever possible. So what should I do to improvise further. Regarding the mod_proxy what is your suggestion there? Thank you.

unSpawn · 04-10-2013, 01:34 PM

Quote:

Originally Posted by newbie14

which commands do you recommend in order to diagnose this problem?

This and which modules to load is probably easier to answer by you 0) attaching your httpd.conf and any configuration files in conf.d that don't have only commented out lines and telling us 1) what you exactly run in your web stack.

*Also please note that, like the others conveyed, these are automated tests against an OS you don't use. So it's not really a problem and if you can live with a 200 response code, fine.

newbie14 · 04-12-2013, 07:50 AM

Dear Unspawn,

The httpd.conf is quite long. I have also install mod_security Should I post it here or should I email it over? The server purely just run .php codes that about it nothing else is running except for some other services running based on other language but not web based stuff.

unSpawn · 04-12-2013, 05:57 PM

Quote:

Originally Posted by newbie14

The httpd.conf is quite long. I have also install mod_security Should I post it here or should I email it over?

No, please don't email but attach it to your reply here.

Quote:

Originally Posted by newbie14

The server purely just run .php codes that about it nothing else is running except for some other services running based on other language but not web based stuff.

OK.

newbie14 · 04-12-2013, 09:16 PM

Dear Unspawn,
I have attached the httpd.conf file. Please review thank you.

unSpawn · 04-13-2013, 02:09 AM

You run Apache with a stock configuration. I suggest you start with (making a backup and then) the includes sections at the bottom of httpd.conf and work your way up: disable negotiation, set default language to English, disable WebDAV, turn ServerSignature off, and check the directory in the Include statement for any active configuration files as you didn't attach any /etc/httpd/conf.d/ contents. IIRC for your purpose you won't need some of the "advanced" auth* modules as well as *dav*, usertrack, speling, substitute and related and the proxy* modules. Disable them. Then restart Apache and follow any warnings it throws. Look at http://httpd.apache.org/docs/2.2/mod/ what the module in question does and then decide if you need it or not. If unsure post the actual errors plus what you learned about the module in question.

*IIRC, and unless things changed since we last helped you secure your machines, access to your web server should have already been limited by the host firewall and the hardware firewall the hosts are behind.

newbie14 · 04-15-2013, 02:19 PM

Dear Unspawn,
I have attached the changes you suggested to my httpd.conf and attached in here. I have also attached the files in conf.d (mod_security.conf and php.conf). I only attached 2 as the rest are the README and welcome.conf which I did not upload. Yes my machine is behind a firewall and all the access to it is via vpn tunnel but I had trouble setting up key authorization but its working now.

unSpawn · 04-15-2013, 04:56 PM

Configs look OK to me.

newbie14 · 04-15-2013, 09:48 PM

Dear Unspawn,
What is your comments on the mod_security should I do some additional configuration on it? I am very new to it need some tips?