LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-22-2005, 05:37 PM   #1
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Rep: Reputation: 50
server crashing...under attack?


My server crashed last night. my buddy sent me some kind of log file which has a lot of recurring errors involving a few IP addresses. Is my server under attack?

A lot of the errors look to me like these folks are trying to find temporary files left by macromedia dreamweaver. there are a few...should i delete them?

Code:
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Sun Oct 16 04:19:26 2005] [notice] Digest: generating secret for digest authentication ...
[Sun Oct 16 04:19:26 2005] [notice] Digest: done
[Sun Oct 16 04:19:26 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Oct 16 04:19:26 2005] [notice] LDAP: SSL support unavailable
[Sun Oct 16 04:19:27 2005] [notice] httpdmon: httpdmon_init
[Sun Oct 16 04:19:27 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Sun Oct 16 04:19:27 2005] [notice] Apache configured -- resuming normal operations
exclog: signal received 15
[Sun Oct 16 04:30:20 2005] [notice] SIGHUP received.  Attempting to restart
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Sun Oct 16 04:30:23 2005] [notice] Digest: generating secret for digest authentication ...
[Sun Oct 16 04:30:23 2005] [notice] Digest: done
[Sun Oct 16 04:30:23 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Oct 16 04:30:23 2005] [notice] LDAP: SSL support unavailable
[Sun Oct 16 04:30:24 2005] [notice] httpdmon: httpdmon_init
[Sun Oct 16 04:30:24 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Sun Oct 16 04:30:25 2005] [notice] Apache configured -- resuming normal operations
exclog: log message too long, truncating.
[Sun Oct 16 14:12:14 2005] [error] [client 209.254.45.133] File does not exist: /var/www/html/_vti_bin
[Sun Oct 16 14:12:14 2005] [error] [client 209.254.45.133] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Sun Oct 16 14:12:14 2005] [notice] child pid 28561 exit signal Segmentation fault (11)
exclog: log message too long, truncating.
[Sun Oct 16 15:11:41 2005] [error] [client 66.83.145.131] File does not exist: /var/www/html/phpmyadmin
[Sun Oct 16 20:42:22 2005] [error] [client 218.28.85.54] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Sun Oct 16 20:42:22 2005] [error] [client 218.28.85.54] File does not exist: /var/www/html/_vti_bin
[Sun Oct 16 20:42:22 2005] [notice] child pid 28856 exit signal Segmentation fault (11)
exclog: log message too long, truncating.
[Sun Oct 16 21:36:07 2005] [error] [client 218.28.85.54] File does not exist: /var/www/html/_vti_bin
[Sun Oct 16 21:36:08 2005] [error] [client 218.28.85.54] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Sun Oct 16 21:36:08 2005] [notice] child pid 3881 exit signal Segmentation fault (11)
exclog: log message too long, truncating.
[Mon Oct 17 02:03:42 2005] [error] [client 208.154.236.105] File does not exist: /var/www/html/_vti_bin
[Mon Oct 17 02:03:43 2005] [error] [client 208.154.236.105] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Mon Oct 17 02:03:43 2005] [notice] child pid 28886 exit signal Segmentation fault (11)
exclog: log message too long, truncating.
[Mon Oct 17 02:06:46 2005] [error] [client 218.202.219.193] File does not exist: /var/www/html/sumthin
exclog: log message too long, truncating.
[Mon Oct 17 03:00:45 2005] [error] [client 61.53.57.16] File does not exist: /var/www/html/_vti_bin
[Mon Oct 17 03:00:56 2005] [error] [client 61.53.57.16] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Mon Oct 17 03:00:56 2005] [notice] child pid 4104 exit signal Segmentation fault (11)
exclog: log message too long, truncating.
exclog: signal received 15
[Mon Oct 17 04:02:23 2005] [notice] SIGHUP received.  Attempting to restart
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Mon Oct 17 04:02:25 2005] [notice] Digest: generating secret for digest authentication ...
[Mon Oct 17 04:02:25 2005] [notice] Digest: done
[Mon Oct 17 04:02:25 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Mon Oct 17 04:02:25 2005] [notice] LDAP: SSL support unavailable
[Mon Oct 17 04:02:26 2005] [notice] httpdmon: httpdmon_init
[Mon Oct 17 04:02:26 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Mon Oct 17 04:02:27 2005] [notice] Apache configured -- resuming normal operations
[Mon Oct 17 04:17:23 2005] [error] [client 61.53.57.16] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Mon Oct 17 04:17:23 2005] [notice] child pid 13950 exit signal Segmentation fault (11)
[Mon Oct 17 04:17:29 2005] [error] [client 61.53.57.16] File does not exist: /var/www/html/_vti_bin
[Mon Oct 17 21:29:10 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Mon Oct 17 21:29:10 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Mon Oct 17 21:29:11 2005] [notice] child pid 18993 exit signal Segmentation fault (11)
exclog: log message too long, truncating.
[Tue Oct 18 01:59:31 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 01:59:34 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 01:59:35 2005] [notice] child pid 19015 exit signal Segmentation fault (11)
[Tue Oct 18 03:12:52 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 03:12:54 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 03:12:54 2005] [notice] child pid 31350 exit signal Segmentation fault (11)
[Tue Oct 18 04:02:03 2005] [error] [client 58.51.128.78] File does not exist: /var/www/html/web-hints
exclog: signal received 15
[Tue Oct 18 04:02:16 2005] [notice] SIGHUP received.  Attempting to restart
[Tue Oct 18 04:02:18 2005] [notice] Digest: generating secret for digest authentication ...
[Tue Oct 18 04:02:18 2005] [notice] Digest: done
[Tue Oct 18 04:02:18 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Tue Oct 18 04:02:18 2005] [notice] LDAP: SSL support unavailable
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Tue Oct 18 04:02:19 2005] [notice] httpdmon: httpdmon_init
[Tue Oct 18 04:02:19 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Tue Oct 18 04:02:20 2005] [notice] Apache configured -- resuming normal operations
[Tue Oct 18 05:48:47 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 05:48:49 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 05:48:49 2005] [notice] child pid 2487 exit signal Segmentation fault (11)
[Tue Oct 18 06:23:00 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 06:23:00 2005] [notice] child pid 2484 exit signal Segmentation fault (11)
[Tue Oct 18 06:23:02 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 06:58:45 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 06:58:49 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 06:58:49 2005] [notice] child pid 2486 exit signal Segmentation fault (11)
[Tue Oct 18 17:30:45 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 17:30:56 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 17:30:57 2005] [notice] child pid 6652 exit signal Segmentation fault (11)
[Tue Oct 18 19:17:34 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 19:17:34 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 19:17:34 2005] [notice] child pid 6653 exit signal Segmentation fault (11)
[Tue Oct 18 21:16:29 2005] [error] [client 217.128.125.2] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 22:10:05 2005] [error] [client 217.128.125.2] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 22:10:51 2005] [error] [client 217.128.125.2] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 22:10:52 2005] [notice] child pid 5959 exit signal Segmentation fault (11)
[Tue Oct 18 23:38:09 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Tue Oct 18 23:38:10 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Tue Oct 18 23:38:10 2005] [notice] child pid 6641 exit signal Segmentation fault (11)
exclog: log message too long, truncating.
exclog: log message too long, truncating.
exclog: signal received 15
[Wed Oct 19 04:02:09 2005] [notice] SIGHUP received.  Attempting to restart
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Wed Oct 19 04:02:11 2005] [notice] Digest: generating secret for digest authentication ...
[Wed Oct 19 04:02:11 2005] [notice] Digest: done
[Wed Oct 19 04:02:11 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Wed Oct 19 04:02:11 2005] [notice] LDAP: SSL support unavailable
[Wed Oct 19 04:02:12 2005] [notice] httpdmon: httpdmon_init
[Wed Oct 19 04:02:12 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Wed Oct 19 04:02:13 2005] [notice] Apache configured -- resuming normal operations
exclog: log message too long, truncating.
exclog: log message too long, truncating.
[Wed Oct 19 07:52:33 2005] [error] [client 217.128.125.2] File does not exist: /var/www/html/_vti_bin
[Wed Oct 19 11:17:49 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Wed Oct 19 11:17:49 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Wed Oct 19 11:17:50 2005] [notice] child pid 28078 exit signal Segmentation fault (11)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814646 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814646 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814646 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814646 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814646 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1816796 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1816796 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1816796 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814133 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814133 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814133 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814133 bytes)
Allowed memory size of 8388608 bytes exhausted (tried to allocate 1814133 bytes)
[Wed Oct 19 18:39:08 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Wed Oct 19 18:39:26 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Wed Oct 19 18:39:26 2005] [notice] child pid 28079 exit signal Segmentation fault (11)
[Wed Oct 19 20:42:36 2005] [error] [client 24.60.107.28] File does not exist: /var/www/html/_vti_bin
[Wed Oct 19 20:42:37 2005] [error] [client 24.60.107.28] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Wed Oct 19 20:42:37 2005] [notice] child pid 2373 exit signal Segmentation fault (11)
exclog: log message too long, truncating.
exclog: log message too long, truncating.
[Wed Oct 19 23:10:23 2005] [error] [client 66.7.71.83] File does not exist: /var/www/html/scripts
[Wed Oct 19 23:51:51 2005] [error] [client 72.29.41.229] File does not exist: /var/www/html/_vti_bin
[Thu Oct 20 00:48:23 2005] [error] [client 72.29.41.229] File does not exist: /var/www/html/_vti_bin
[Thu Oct 20 00:48:35 2005] [error] [client 72.29.41.229] request failed: URI too long (longer than 8190)
exclog: log message too long, truncating.
[Thu Oct 20 00:48:35 2005] [notice] child pid 32538 exit signal Segmentation fault (11)
exclog: signal received 15
[Thu Oct 20 04:02:13 2005] [notice] SIGHUP received.  Attempting to restart
[Thu Oct 20 04:02:14 2005] [notice] Digest: generating secret for digest authentication ...
[Thu Oct 20 04:02:14 2005] [notice] Digest: done
[Thu Oct 20 04:02:14 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Thu Oct 20 04:02:14 2005] [notice] LDAP: SSL support unavailable
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Thu Oct 20 04:02:15 2005] [notice] httpdmon: httpdmon_init
[Thu Oct 20 04:02:15 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Thu Oct 20 04:02:16 2005] [notice] Apache configured -- resuming normal operations
exclog: signal received 15
[Thu Oct 20 04:23:48 2005] [notice] SIGHUP received.  Attempting to restart
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Thu Oct 20 04:23:50 2005] [notice] Digest: generating secret for digest authentication ...
[Thu Oct 20 04:23:50 2005] [notice] Digest: done
[Thu Oct 20 04:23:50 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Thu Oct 20 04:23:50 2005] [notice] LDAP: SSL support unavailable
[Thu Oct 20 04:23:50 2005] [notice] httpdmon: httpdmon_init
[Thu Oct 20 04:23:50 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Thu Oct 20 04:23:52 2005] [notice] Apache configured -- resuming normal operations
exclog: signal received 15
[Fri Oct 21 04:02:09 2005] [notice] SIGHUP received.  Attempting to restart
[Fri Oct 21 04:02:11 2005] [notice] Digest: generating secret for digest authentication ...
[Fri Oct 21 04:02:11 2005] [notice] Digest: done
[Fri Oct 21 04:02:11 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Fri Oct 21 04:02:11 2005] [notice] LDAP: SSL support unavailable
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Fri Oct 21 04:02:12 2005] [notice] httpdmon: httpdmon_init
[Fri Oct 21 04:02:12 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Fri Oct 21 04:02:13 2005] [notice] Apache configured -- resuming normal operations
[Fri Oct 21 10:53:49 2005] [error] [client 207.62.28.250] request failed: error reading the headers
exclog: signal received 15
[Sat Oct 22 04:02:17 2005] [notice] SIGHUP received.  Attempting to restart
[Sat Oct 22 04:02:21 2005] [notice] seg fault or similar nasty error detected in the parent process
[Sat Oct 22 08:44:18 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sat Oct 22 08:44:18 2005] [notice] LDAP: SSL support unavailable
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Sat Oct 22 08:44:19 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Oct 22 08:44:19 2005] [notice] httpdmon: httpdmon_init
[Sat Oct 22 08:44:19 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
exclog: signal received 15
exclog: top-level log:/var/log/httpd/access_log
exclog: site1: vhost www.mydomain.com, fd 5, owner 502:502
exclog: site1: domain mydomain.com
[Sat Oct 22 08:44:21 2005] [notice] Digest: generating secret for digest authentication ...
[Sat Oct 22 08:44:21 2005] [notice] Digest: done
[Sat Oct 22 08:44:21 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sat Oct 22 08:44:21 2005] [notice] LDAP: SSL support unavailable
[Sat Oct 22 08:44:22 2005] [notice] httpdmon: httpdmon_init
[Sat Oct 22 08:44:22 2005] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Sat Oct 22 08:44:24 2005] [notice] Apache configured -- resuming normal operations

Last edited by sneakyimp; 10-22-2005 at 05:40 PM.
 
Old 10-22-2005, 08:12 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,777
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
my buddy sent me some kind of log file
It's your Apache's access log.


which has a lot of recurring errors involving a few IP addresses. Is my server under attack?
Looks like quite an aggressive scan. At this rate, and with the hosts used (from .edu to .cn) and with this effect I'd call it an attack, yes.


A lot of the errors look to me like these folks are trying to find temporary files left by macromedia dreamweaver.
I thought the vti stuff was general DAV protocol stuff. In any case they're scanning for more than that: phpmyadmin, scripts...


there are a few...should i delete them?
Before you do please check the integrity of your box. Should be a higher priority.
Then if you made sure all is OK check those files and delete them if necessary.
 
Old 10-22-2005, 09:32 PM   #3
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
thanks so much for you response.

two really important questions:

1) what is the most effective way to defend myself? any obvious precautions i can take?
2) how might i check the integrity of my box?

edit:
i have checked the apache logs and i cannot find any entries there that match these ips:
217.128.125.2
207.62.28.250

what's with that?

of the others, i find 4 basic types of entry:

type 1 is a really long request:
Code:
access_log:209.254.45.133 - - [16/Oct/2005:09:23:53 -0400] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0...
type 2 appears to be a windows hack...looking for a dll which doesn't exist on my machine:
Code:
access_log:209.254.45.133 - - [16/Oct/2005:09:23:49 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 293 "-" "-"
type 3 is looking for phpmyadmin:
access_log:66.83.145.131 - - [16/Oct/2005:15:11:41 -0400] "GET /phpmyadmin/index.php HTTP/1.0" 404 284 "-" "-"
[/CODE]

type 4 is looking for some other file
Code:
access_log:218.202.219.193 - - [17/Oct/2005:02:06:46 -0400] "GET /sumthin HTTP/1.0" 404 271 "-" "-"
type 5 has some kind of full url:
Code:
access_log:58.51.128.78 - - [18/Oct/2005:04:02:01 -0400] "GET http://www.inwap.com/web-hints/env.cgi HTTP/1.1" 404 281 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
type 6 is another windows attack that i've seen before:
Code:
access_log:66.7.71.83 - - [19/Oct/2005:23:10:26 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 305 "-" "-"

Last edited by sneakyimp; 10-22-2005 at 10:17 PM.
 
Old 10-23-2005, 11:14 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,777
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
1) what is the most effective way to defend myself? any obvious precautions i can take?
The first thing is to *make sure* your box is hardened properly (please check out the LQ FAQ: Security references for more info.). This includes being up to date on all the software you run, having a backup/restore procedure and regularly auditing your box.

For quickly blocking excessive requests mod_evasive would be the fastest and most efficient option. If you've got the httpd-devel package installed then using apxs will install mod_evasive in aprox 30 secs, and the config you just cut from the README. Also have a look if you want/need/like to play with mod_security. I haven't played with mod_security enough to comment on it other than that it "looks good". See for yourself.


2) how might i check the integrity of my box?
Distro-independent checking should begin with installing a file integrity checker (Aide, Samhain or even tripwire) right after the OS is installed and backing up the databases to an off-site location. Can't install it much later like when the OS is exposed to the 'net because then you don't have any guarantee the box has already been tampered with.

Distro-centric checking depends on if your package manager or packages contain per-item checksums. Then you can run a system check against (an off-site and read-only copy of) the installed package database or against remote packages. The scope of distro-centric checking is however limited because only packages contents can be checked and not items introduced into the system by other means.

For a first quick check of possibly trojaned binaries like /sbin/init, psutils and introduction of other goodies consider running Chkrootkit and Rootkit Hunter. If you didn't install those and you can't run KNOPPIX-STD or alike be sure to build them on another box and also bring a safe copy of the needed utils (maybe use Busybox) with you.
 
Old 10-23-2005, 05:37 PM   #5
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
THANKS for the suggestions. That's a lot to digest at the moment.

In the meantime, what about those two IPs I can't find in the access or error logs?

217.128.125.2
207.62.28.250


They were in the log my buddy sent, but now i have grepped for them in the access logs and do not see them. how is that possible?

EDIT: aha!! never mind. our server has different access logs for each domain and i located the other ones. the log entries look more ineffective attempts at overloading length, accessing DLLs, etc.


Last edited by sneakyimp; 10-23-2005 at 07:08 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server under some form of attack English_Man Linux - Security 1 10-30-2005 02:03 PM
Mysql Server ...virus Attack Found ! my-unix-dream Linux - Newbie 9 05-15-2005 12:35 PM
is this a attack to my web server ohcarol Linux - Security 1 12-29-2004 09:59 AM
Server Attack...every day, help:( xmanxl Linux - Security 22 08-19-2004 03:38 PM
x server crashing often... rooman Slackware 6 12-11-2002 03:39 PM


All times are GMT -5. The time now is 09:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration