Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was using Logwatch to review my HTTP server logs and I noticed the following entry:
--------------------- httpd Begin
404 Not Found
.
.
.
/saddam.html++++++++++++++++++++++++++++++ ... +to+internet%29: 1 Time(s)
---------------http End
The last line is pasted in exactly as shown in the log. Saddam.html is a static hypertext document present on the server. Robots access it and other such documents there frequently.
Obviously someone (or a robot) tried to request a document that wasn't present, resulting in a 404. Question is, what exactly was the requestor trying to do? I have never seen anything like this in my logs before, and am not even sure how to phrase an appropriate Google search for answers. I am hoping someone here can shed some light on this.
How do I know if the attack succeeded or not? The wikipedia page explains what the attack consists of, but little about stopping these attacks or determining their impact.
What I would do is 1) trace back that entry in your webserver logs, then grep all services and system logs for the related IP address. That way you get a more complete view of what it's been up to. If there's multiple entries you know somebody has been trying blindly, if it's just that one entry it gets "interesting". 2) Next to that you might want to check your OS installation by verifying integrity if your package manager is capable of doing that (please fill in your OS details in your profile). If unsure use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html as checklist. Chances are it's just that entry, but practicing and getting aquainted with the checklist *before* something happens isn't a bad thing. If you can't make head or tails of your log entries post them here in full. Just in case some log content just doesn't show up "right" when posted you're invited to e-mail me.
First, thank you for your reply. Here are the log entries containing the relevant information. By the way, I am running CentOS 5, in case that's important.
Only one log file, /var/log/httpd/error_log.1, seems to have any mention of the offending IP address:
/var/log/httpd#cat error_log.1 |grep 89.149.241.126
[Fri Mar 28 03:23:54 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/<deleted>.com/saddam.html+++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+, referer: http://<deleted>.com/saddam.html+++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+/+guestbook+%28or+no+connection+to+internet%29
[Fri Mar 28 03:23:58 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/forum, referer: http://forum.<deleted>.com/forum/index.php
[Fri Mar 28 03:23:58 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/phpbb, referer: http://forum.<deleted>.com/phpbb/index.php
[Fri Mar 28 03:23:59 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/phpbb2, referer: http://forum.<deleted>.com/phpbb2/index.php
[Fri Mar 28 03:23:59 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/forums, referer: http://forum.<deleted>.com/forums/index.php
[Fri Mar 28 03:24:00 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/board, referer: http://forum.<deleted>.com/board/index.php
[Sat Mar 29 09:08:07 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/<deleted>.com/saddam.html+++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+, referer: http://<deleted>.com/saddam.html+++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+/+guestbook+%28or+no+connection+to+internet%29+Result:+it+is+not+a+forum+/+guestbook+%28or+no+connection+to+internet%29
[Sat Mar 29 09:08:09 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/forum, referer: http://forum.<deleted>.com/forum/index.php
[Sat Mar 29 09:08:10 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/phpbb, referer: http://forum.<deleted>.com/phpbb/index.php
[Sat Mar 29 09:08:10 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/phpbb2, referer: http://forum.<deleted>.com/phpbb2/index.php
[Sat Mar 29 09:08:11 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/forums, referer: http://forum.<deleted>.com/forums/index.php
[Sat Mar 29 09:08:11 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/board, referer: http://forum.<deleted>.com/board/index.php
I've removed my server's name for security reasons. What's curious is that the attack seems to be focused on one of the hosted domains, not the main webserver. Nonetheless, this entry shows up in the "main" error log, not the one corresponding to that domain.
My web server and its hosted domains don't have any forums, just a collection of static HTML pages. It almost looks like the attacker was trying to exploit some weakness in forum posting software, and that he didn't get very far because I don't have any forums. Am I on the right track here?
I read up a little on the buffer overflow attack that ChooseLife alluded to, but it appears any weaknesses there would have to be addressed by programmers, not me. It would certainly be far, far over my head.
I'll fill out my profile and review that checklist you mentioned, thanks.
By the way, I am running CentOS 5, in case that's important.
If you have SELinux enabled then that would be good. Not that it could do anything in this case but it does provide an extra layer of protection.
Quote:
Originally Posted by cylarz
What's curious is that the attack seems to be focused on one of the hosted domains, not the main webserver.
It shows the site (probably following a link elsewhere) was marked for processing, probably by an automated scanner.
Quote:
Originally Posted by cylarz
It almost looks like the attacker was trying to exploit some weakness in forum posting software, and that he didn't get very far because I don't have any forums. Am I on the right track here?
Close. It's not even trying to exploit things but the software tries to mimick a user logging in and making a post.
The posts all start with common keywords related to pr0n, often with celebrity names and often media. Sometimes the bot results are posted as text, but more commonly it's HTML-code starting with a span class with a one pixel font-size, followed by URI's, followed by (one) pixel GIFs. Grepping pages for these pseudo-regex combo's:
Code:
# IFS:
# often ' ;' and less common '+'.
# Link part:
$URI.*proboards[0-9]\{1,3\}.com
$URI.*(captcha.php|action=post|\\#comment|viewtopic.php\?p=|index.php\?showtopic=)
# Log part:
Result:.*
it is not a forum (\/ guestbook \(or no connection to internet\))?
(using|SERVER ERROR).*(proxy|SOCKS).*\.[0-9]\{1,3\}:[0-9]\{2,4\}\)
(not found|sent \(from first page\)|chosen nickname ".*"|the frames processed)
(captcha recognized|registered|logged in|sent)
(GET|POST)-timeouts [0-9]
success( \(from first page\)| - posted to (first encountered partition)? \".*\")
(pictocode could not be decoded|message must go through moderation|BB-code not working)
As you see from its logging this is a spam bot. After links are harvested it tries to log in with a forum board account, post spam and log the result. It appears to try to circumvent Captchas to register an account if there is none, it can use proxies and it seems to be able to recognise quite a few fora SW. Nice. (Ten pts for the one who provides pointers to this spam bot software). But as you say, since you have no fora, you're safe from this.
Quote:
Originally Posted by cylarz
I read up a little on the buffer overflow attack that ChooseLife alluded to, but it appears any weaknesses there would have to be addressed by programmers, not me. It would certainly be far, far over my head.
Unfortunately ChooseLife didn't choose to ask questions to get clarity. Clearly he was not interested. That resulted in giving wrong advice. Instead he choose to reply with a very generic piece about buffer overflow and without giving you clues how to check for them, how to mitigate damage and how to prevent that from happening again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
