LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 02-20-2005, 05:05 AM   #1
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Rep: Reputation: 15
POST http://192.168.119.132/_vti_bin/_vti_aut/fp30reg.dll


I am using squid 2.5Stable7 in my Redhat linux 7.3. From few days I am getting these types of request in my squid log file.

NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:07 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:12 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:13 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:17 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:18 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:19 +0545] "POST http://192.168.119.128/_vti_bin/_vti_aut/fp30reg.dll HTTP/0.0" 501 1466 TCP_DENIED:NONE
- - [20/Feb/2005:16:46:21 +0545] "POST http://192.168.119.129/_vti_bin/_vti_aut/fp30reg.dll HTTP/0.0" 501 1466 TCP_DENIED:NONE
- - [20/Feb/2005:16:46:22 +0545] "POST http://192.168.119.130/_vti_bin/_vti_aut/fp30reg.dll HTTP/0.0" 501 1466 TCP_DENIED:NONE
- - [20/Feb/2005:16:46:23 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:24 +0545] "POST http://192.168.119.131/_vti_bin/_vti_aut/fp30reg.dll HTTP/0.0" 501 1466 TCP_DENIED:NONE
- - [20/Feb/2005:16:46:24 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:26 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
----------------------------------------------------------------
These types of request are consuming my upload bandwidth, It looks like client computer is infected by worm or virus which is trying to scan IIIS server. How can I block these request from passing my proxy server in firewall, so that my uplink bandwidth will be saved. Is there any way of blocking scan to remote port IIS vunerable ports from bypassing my proxy server.

Please help me. It's consuming much much of my upload traffic.
 
Old 02-20-2005, 08:14 AM   #2
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
If the computer that you think is infected is on your network, pull it's patch cable and get it cleaned up. If it's out on the internet somewhere, why are you allowing public access of your proxy server?

Either way, your question is answered in the FAQ.
 
Old 02-20-2005, 08:40 AM   #3
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Original Poster
Rep: Reputation: 15
Well I can't do so because he is my client. I have infromed him many times regarding this problem. But I don't know why he isn't applying securiy patch for his computer.
Can't it be possible that I can stop or block the port of IIS server scanning in my linux server's firewall. so that the scanning to remote IIS server can be blocked from by passing my proxy server?
 
Old 02-20-2005, 08:52 AM   #4
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Well, no. IIS runs on 80 (http) just like every other webserver does, so if you block his computer from hitting port 80, he's not going to be able to surf the internet with his browser either.
 
Old 02-20-2005, 11:18 AM   #5
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
I am not sure that this will improve your bandwidth but I came across a useful addition to httpd.conf which redirects all these to microsoft and therefore uses up their bandwidth;

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com/
</IfModule>
 
Old 02-20-2005, 11:32 AM   #6
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
If the OP were using Apache instead of squid it might
 
Old 02-21-2005, 12:17 AM   #7
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Original Poster
Rep: Reputation: 15
Ok guys here is the dump file of the infected pc.

------------------------------------------------------------------------------------------

11:55:48.809302 XXX.XXX.XXX.XXX.3320 > 192.168.231.174.http: . 1732923377:1732924837(1460) ack 4187239755 win 8760 (DF)
0x0000 4500 05dc 460d 4000 7e06 08e3 ca4f 3585 E...F.@.~....O5.
0x0010 c0a8 e7ae 0cf8 0050 674a 4ff1 f994 354b .......PgJO...5K
0x0020 5010 2238 b01c 0000 9090 9090 9090 9090 P."8............
0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0040 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0050 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0060 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0070 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0080 9090 9090 9090 9090 9090 9090 9090 9090 ................
11:55:48.929178 XXX.XXX.XXXX.XXX.3320 > 192.168.231.174.http: . 1460:2920(1460) ack 1 win 8760 (DF)
0x0000 4500 05dc 460e 4000 7e06 08e2 ca4f 3585 E...F.@.~....O5.
0x0010 c0a8 e7ae 0cf8 0050 674a 55a5 f994 354b .......PgJU...5K
0x0020 5010 2238 aa68 0000 9090 9090 9090 9090 P."8.h..........
0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0040 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0050 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0060 9090 9090 9090 9090 9090 9090 9090 9090 ................
11:55:48.934254 xxx.xx.xxx.xx.3320 > 192.168.231.174.http: . 4380:5110(730) ack 1 win 8760 (DF)
0x0000 4500 0302 4610 4000 7e06 0bba ca4f 3585 E...F.@.~....O5.
0x0010 c0a8 e7ae 0cf8 0050 674a 610d f994 354b .......PgJa...5K
0x0020 5010 2238 bff8 0000 9090 9090 9090 9090 P."8............
0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0040 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0050 9090 9090 9090 9090 9090 9090 9090 9090 ................

--------------------------------------------------------------------

I have even blocked using squid ACL but it seems traffic is still passing from the squid cache server.. SO it's consuming my uplink bandwidth. Any ideas ..... for blocking that IIS scan from bypassing my server but still I wan client to browse net except that traffic.
 
Old 02-21-2005, 02:11 AM   #8
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Surely you have some kind of contract that says "you must ensure that your system must be properly maintained at all times and if at any time your system disrupts our network services then we have the right to terminate the service." This is standard with many isp's. If not maybe you should investigate this angle or perhaps to even volunteer to clean this box at no charge.
 
Old 02-21-2005, 10:58 PM   #9
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Original Poster
Rep: Reputation: 15
Any bash scripts so that it will automatically execute at 5 mins interval from cron and listen in squid's access.log file for such request and if found it will execute command like routing the infected pc's ip to localhost or reject ;

/sbin/route add -host 192.168.0.2 reject
 
Old 09-14-2005, 11:14 AM   #10
meverhagen
LQ Newbie
 
Registered: Mar 2005
Distribution: fedora core 3
Posts: 6

Rep: Reputation: 0
Maybe this helps

The mod_secutiry will block the most of these attacks. (Give them a 406 error, and prevent the execution of abritrage code b.v: mod_security: Access denied with code 406. Pattern match "!^$" at HEADER)

Disable the atd service. It can be abused. (And check cron, but cron seems to be safe. Mush be something with the user rights)

Enable the clamav service. This will block the unoticed sending of spam. Scan for visusses. Clamav will find them if they are present.

Disable all services wich you do not use (A lot of services like webmin, nfs, netdump, portmap are active when they are not needed. Disabling them will prevent that the services will be abused. You can simple activate them when you need them.) This will prevent the eating of your bandwidth.

Be sure you logfiles are working. (To get a specific log working again, you have to specify a new location in the config file of the specific application.)

Oh yeah, and redirect to something like http://www.trash.bin (This will prevent there is eaten any bandwith at any webserver. Since the www.trash.bin adres does not exist. So redirect bad things to nothing, not to somebody else.)
Be aware of bots wich index a lot of unessary files. Since the bots have no reasen to do this, something else causes this.

Marcel
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is someone on my network?! ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:38201 ESTABLISHE ming0 Linux - Security 4 04-12-2005 01:04 AM
192.168.2.1 network with 192.168.0.1? Micro420 Linux - Networking 2 02-27-2005 06:59 AM
Iptables is converting -s 192.168.1.0/8 into 192.0.0.0/8 why !? qwijibow Linux - Security 2 01-26-2005 09:57 AM
What does this mean? 192.168.254.32/24 costasm Linux - Networking 5 12-06-2003 04:57 PM
192.168.0.0/25 ? Firew Linux - Networking 1 04-12-2001 01:02 PM


All times are GMT -5. The time now is 08:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration