LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Windows executable files upload (https://www.linuxquestions.org/questions/linux-security-4/windows-executable-files-upload-4175516885/)

newbie14 08-30-2014 10:41 AM
Windows executable files upload
 
I ran my logwatch for a slight longer days from today to 75 days ago and below is what I see

Code:
915.48 MB transferred in 65987 responses  (1xx 0, 2xx 45543, 3xx 11883, 4xx 8531, 5xx 30)
    17324 Images (36.38 MB),
        4 Documents (0.00 MB),
        2 Windows executable files (0.00 MB),
    48274 Content pages (879.02 MB),
        3 Redirects (0.00 MB),
        4 Configs (0.00 MB),
      68 mod_proxy requests (0.02 MB),
      308 Other (0.06 MB)

I notice there is these 4 Documents (0.00 MB),
and 2 Windows executable files (0.00 MB should I ignore or take some action on this?


Also is there any remedy for this

Attempts to use known hacks by 9 hosts were logged 21 time(s) from:
Code:
    203.97.21.3: 6 Time(s)
      /\.\./\.\./\.\./ 2 Time(s)
      passwd$ 2 Time(s)
      boot\.ini 2 Time(s)
    210.116.114.212: 6 Time(s)
      /\.\./\.\./\.\./ 2 Time(s)
      passwd$ 2 Time(s)
      boot\.ini 2 Time(s)
    95.48.87.242: 3 Time(s)
      \\x81 3 Time(s)
    194.208.186.41: 1 Time(s)
      ^null$ 1 Time(s)
    207.194.255.18: 1 Time(s)
      ^null$ 1 Time(s)
    50.190.148.124: 1 Time(s)
      ^null$ 1 Time(s)
    70.159.96.229: 1 Time(s)
      ^null$ 1 Time(s)
    76.105.212.9: 1 Time(s)
      ^null$ 1 Time(s)
    98.164.112.93: 1 Time(s)
      ^null$ 1 Time(s)

Bruce Baker 08-30-2014 01:33 PM
Can't upload windows executables
 
A windows executable file cannot run on a linux file system. Therefore, the uploader doesn't even bother to try to upload the file. I hope I am making sense to you. The windows executable file is worthless on any linux platform. I will give you my email address, and you may contact me if you need more help.
Bruce Baker email: brucebrookebaker@yahoo.com

Habitual 08-30-2014 04:33 PM
Quote:
Originally Posted by newbie14
Also is there any remedy for this

Attempts to use known hacks by 9 hosts were logged 21 time(s) from:
Code:
    203.97.21.3: 6 Time(s)
      /\.\./\.\./\.\./ 2 Time(s)
      passwd$ 2 Time(s)
      boot\.ini 2 Time(s)
    210.116.114.212: 6 Time(s)
      /\.\./\.\./\.\./ 2 Time(s)
      passwd$ 2 Time(s)
      boot\.ini 2 Time(s)
    95.48.87.242: 3 Time(s)
      \\x81 3 Time(s)
    194.208.186.41: 1 Time(s)
      ^null$ 1 Time(s)
    207.194.255.18: 1 Time(s)
      ^null$ 1 Time(s)
    50.190.148.124: 1 Time(s)
      ^null$ 1 Time(s)
    70.159.96.229: 1 Time(s)
      ^null$ 1 Time(s)
    76.105.212.9: 1 Time(s)
      ^null$ 1 Time(s)
    98.164.112.93: 1 Time(s)
      ^null$ 1 Time(s)
fail2ban.

newbie14 08-31-2014 04:25 AM
Dear Bruce Baker,
The why is the logwatch reporting on windows executable files? Is there anything for me to dig further on this?

---------- Post added 08-31-14 at 05:26 PM ----------

Dear Habitual,
Yes I have fail2ban enabled do I need to tweak it further?

unSpawn 08-31-2014 06:03 AM
Quote:
Originally Posted by Bruce Baker (Post 5229842)
A windows executable file cannot run on a linux file system. (..) The windows executable file is worthless on any linux platform.
I would like to remind you that while Linux does not run PE binaries a Linux system can be abused to serve up PE malware so saying it is worthless is only part of the story.


Quote:
Originally Posted by Bruce Baker (Post 5229842)
Therefore, the uploader doesn't even bother to try to upload the file.
Strictly speaking, unless you have access to this members httpd logs, you have no grounds on which you can base this, which makes it an assumption. Please be careful and factual.


Quote:
Originally Posted by Bruce Baker (Post 5229842)
I will give you my email address, and you may contact me if you need more help.
You're relatively new here so I caution you to please not do that. Whatever is posted here should be handled here (with the exception of those members I trust to perform incident handling the way I like to see it done).

unSpawn 08-31-2014 06:05 AM
Quote:
Originally Posted by newbie14 (Post 5229791)
I ran my logwatch for a slight longer days from today to 75 days ago and below is what I see
...which again isn't the whole picture. Please refer to your prior threads https://www.linuxquestions.org/quest...ed-4175457440/ , https://www.linuxquestions.org/quest...ch-4175462471/ and https://www.linuxquestions.org/quest...ng-4175474409/ and note I explained before to you how you can use logwatch in --debug mode and grep for things to find out what gets processed how.

Bruce Baker 08-31-2014 08:30 AM
To UnSpawn: I was careful and factual, because the output of the upload showed 0.0 executable files, which are either no luck trying or didn't even try (moot point!). Don't ride so high and mighty on your silver steed. Some of the rest of us can make educated surmises, too.

Now as to Newbie's question: It would depend entirely on whether or not you are searching for malware in your uploads. Except that there is no file to inspect; so you're back at the original: ignore it! Okay?

newbie14 08-31-2014 09:32 AM
Dear Unspawn,
I ran like this logwatch --detail High --service All --range 'between -75 days and today' --archives --numeric > /usr/local/300814logwatch_75 but now I add this logwatch --detail High --service All --range 'between -75 days and today' --archives --numeric --debug > /usr/local/300814logwatch_75 What option should I put for the debug? Could it be referring to the python .exe like what we discover previously?

Habitual 08-31-2014 10:41 AM
Quote:
Originally Posted by newbie14 (Post 5230070)
Dear Habitual,
Yes I have fail2ban enabled do I need to tweak it further?
You can do so by adding something like this to your /etc/fail2ban/jail.local
Code:
[honeypot]

enabled =  true
filter = honeypot
action  = iptables[name=honeypot,protocol=all,port="http,https"]
maxretry = 1
logpath = /path/to/your/access.log
bantime  = 31556926 ; 1 year in seconds
/etc/fail2ban/filter.d/honeypot.conf:
Code:
[Definition]

docroot = /var/www/html
badadmin = boot.ini
# Option:  failregex
# Notes.:  Regexp to match boot.ini
# Values:  TEXT
#

failregex = ^<HOST> .*"GET \/(?:%(badadmin)s).*?"
            ^<HOST> .*"POST \/(?:%(badadmin)s).*?"

ignoreregex =
Make a new /etc/fail2ban/action.d/honeypot.conf file with these contents:
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# $Revision: 658 $
#

[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
            iptables -F fail2ban-<name>
            iptables -X fail2ban-<name>

actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP


actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
name = default

# Option:  port
port = http

# Option:  protocol
protocol = tcp

chain = INPUT
Test if first using
Code:
fail2ban-regex /path/to/your/access.log /etc/fail2ban/filter.d/honeypot.conf
If that succeeds in showing something along this line/result:
Success, the total number of match is <number>

then you should be good to go.
If you see "Sorry, no match" then 2 things to check,
1.) your access.log file has been rotated or there are no hits.
2.) your /etc/fail2ban/filter.d/honeypot.conf file is poorly configured.

It's python and spacing matters! (I usually line up everything to the right of the the "=" sign using spaces, not tabs. eg:
Code:
failregex = ^<HOST> .*"GET \/(?:%(badadmin)s).*?"
          ^<HOST> .*"POST \/(?:%(badadmin)s).*?"
Adjust accordingly and check again with
Code:
fail2ban-regex /path/to/your/access.log /etc/fail2ban/filter.d/honeypot.conf
Restart fail2ban using
Code:
fail2ban-client reload
If you are on CentOS... you should save your current iptables rules with something like
Code:
sudo iptables-save > /root/safe.rules
before
Code:
fail2ban-client reload
On later Ubuntu hosts, you need iptables-persistant installed to keep your iptables safe across reboots using the iptables-persistent package.

I hope that's helpful.

See my 2 blog posts on the fail2ban subject.

unSpawn 08-31-2014 04:38 PM
Quote:
Originally Posted by newbie14 (Post 5230172)
What option should I put for the debug?
None, "--high" is enough.


Quote:
Originally Posted by newbie14 (Post 5230172)
Could it be referring to the python .exe like what we discover previously?
Unlikely. Send a compressed copy of the report to my Gmail address please?

newbie14 08-31-2014 10:19 PM
Dear Unspawn,
I have sent the file accordingly.

sundialsvcs 09-01-2014 07:02 AM
Remember also that what a Unix/Linux system says is "a Windows executable file" is ... an educated guess, based on observed data characteristics.

Really, the most important thing to glean from log displays such as this one is: "does this 'ring true?'" "Is this what I would expect to see from this system, if it were being used by authorized users for legitimate business purposes?" If not, then the log has just done its job of being the canary in the coal-mine. It's your job to figure out what the canary meant.

unSpawn 09-01-2014 03:39 PM
Quote:
Originally Posted by newbie14 (Post 5230457)
I have sent the file accordingly.
The Logwatch report does give some information, like show the amount of standard probing that's been done, but unfortunately no specifics. If you want to get into this you'll have to search your logs.

newbie14 09-02-2014 12:16 PM
Dear Unspawn,
Which logs should I search and any specific key word or element to look into as particular log. I would like to do if there is anything messy.

unSpawn 09-02-2014 04:34 PM
Quote:
Originally Posted by newbie14 (Post 5231297)
Which logs should I search and
Your web servers access logs.


Quote:
Originally Posted by newbie14 (Post 5231297)
any specific key word or element to look into as particular log.
*This asserts logs reside in /var/log/httpd, else substitute path.
Code:
# If you have many large log files check in which logs the term appears (once is enough) and only search those below:
zgrep -m1 -c '.html' /var/log/httpd/access*.[0-9]*.gz|awk -F':' '{if($2 !~ 0) print $1}'
# Go for a simple wide search like
zgrep -he "(POST|GET)..*\.exe.HTTP\/" /var/log/httpd/access*.[0-9]*.gz
Share results if you want can't make heads nor tails out of it.


All times are GMT -5. The time now is 01:48 AM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page