Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i just checked my logs, apache-1.33.3-8 debian etch, and my webserver is suddenly getting slammed with some sort of redirection hits:
Code:
69.73.166.108 - - [23/Oct/2005:00:25:21 -0400] "HEAD / HTTP/1.1" 200 0 "http://greendome.the-village.bc.nu/pants/messages/3222.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:26:37 -0400] "HEAD / HTTP/1.1" 200 0 "http://cialis-levitra.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
66.246.218.114 - - [23/Oct/2005:00:26:49 -0400] "HEAD / HTTP/1.1" 200 0 "http://alprazolam.opi.linux-dude.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:27:43 -0400] "HEAD / HTTP/1.1" 200 0 "http://tramadol-hcl-50-mg-tab.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
66.246.120.114 - - [23/Oct/2005:00:31:00 -0400] "HEAD / HTTP/1.1" 200 0 "http://greendome.the-village.bc.nu/pants/messages/2776.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:33:29 -0400] "HEAD / HTTP/1.1" 200 0 "http://online-casino.6-9.us/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:35:20 -0400] "HEAD / HTTP/1.1" 200 0 "http://how-to-shoot-up-phentermine.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:36:05 -0400] "HEAD / HTTP/1.1" 200 0 "http://tramadol-hc.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:39:18 -0400] "HEAD / HTTP/1.1" 200 0 "http://phentermine.lgh.dyndns.dk/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:41:41 -0400] "HEAD / HTTP/1.1" 200 0 "http://greendome.the-village.bc.nu/pants/messages/2626.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:42:15 -0400] "HEAD / HTTP/1.1" 200 0 "http://greendome.the-village.bc.nu/pants/messages/2972.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
69.73.166.108 - - [23/Oct/2005:00:43:30 -0400] "HEAD / HTTP/1.1" 200 0 "http://greendome.the-village.bc.nu/pants/messages/2760.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
69.28.242.87 - - [23/Oct/2005:00:44:39 -0400] "HEAD / HTTP/1.1" 200 0 "http://fioricet-online.xh.pl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:45:47 -0400] "HEAD / HTTP/1.1" 200 0 "http://greendome.the-village.bc.nu/pants/messages/2867.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
66.246.120.114 - - [23/Oct/2005:00:46:26 -0400] "HEAD / HTTP/1.1" 200 0 "http://tramadol-europe-pharmacy.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:46:50 -0400] "HEAD / HTTP/1.1" 200 0 "http://purchesing-penis-enlargement-pills.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:47:33 -0400] "HEAD / HTTP/1.1" 200 0 "http://phentermine-dangers.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
64.193.62.232 - - [23/Oct/2005:00:47:34 -0400] "HEAD / HTTP/1.1" 200 0 "http://generic-price-viagra.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
69.73.166.108 - - [23/Oct/2005:00:50:22 -0400] "HEAD / HTTP/1.1" 200 0 "http://greendome.the-village.bc.nu/pants/messages/3383.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:50:51 -0400] "HEAD / HTTP/1.1" 200 0 "http://generic-viagra-bz.dir.d2g.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
65.254.35.10 - - [23/Oct/2005:00:50:59 -0400] "HEAD / HTTP/1.1" 200 0 "http://cheapest-phentermine.eu.gg" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
ETC.
that is only 1/1000th of the log -- it's been going on all day! am i compromised, or just being "referrer spammed?" i've never seen entries like that before. it looks like the IP on the left is being directed somehow through my box to the URLs on the right, is that correct? as usually the destination url is somewhere on my site.
i checked my main PC, and my /var/log/messages, auth, and kernel all are at 0 bytes for days! that seems to me like an asshole cracker covering his tracks, or am i being too paranoid? what should i check when the logs are empty?
No cgi, but php4 was on it. Maybe they hacked that somehow? I've had it offline since last night. I think the log thing is all right. This morning I notice that there are new log forms, auth.log (and auth.log.1, log.2, etc.) instead of just auth, kernel.log instead of just kernel, etc. syslogd must have been recently updated in how it functions. Nothing looks out of the ordinary in those logs. My laptop seems okay.
I have no idea how the webserver might have been compromised, if in fact it was, and it seems like it was. I run things pretty securely (I thought), and I don't run or even put any unnecessary services on the box. Basically just web/ftp from a minimal debian install, nfs for doing automated backups, and that's it. A snort log is mailed to me everyday, and I have not noticed anything weird, only continual hits from a few IPs for weeks trying to get access to webalizer pages (which are password protected). When I notice troublemakers like that hitting repeatedly, I block them at the firewall -- I guess snort is looking from beyond the firewall to see the hits, as they are definitely listed as blocked in iptables. But that's it, and i've never had a break in ever, in over a year. Why would anyone DDoS those kinds of sites?
---> proxying looks like it's commented out.
Code:
<IfModule mod_proxy.c>
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#ProxyRequests On
#<Directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Directory>
edit 2: chkrootkit and rkhunter say no rootkits. chkrootkit was on there already, rkhunter was just installed.
i have no idea what they did or how they did it. it's hard to google it without more keywords, the apache log entries aren't really helping. i think i'm just going to wipe everything clean and do a completely minimal install, and then hook it back up to the net with tripwire and watch it like a hawk to try to figure out what they did. maybe i'll even put it in a DMZ and purposely try to get them to attack to see if i can figure it out. there's no sense in setting everything back up if they're just going to crack me in 2 minutes.
okay, on doing more reading, i think that i am probably not compromised at all, but am really the victim of massive "referrer spam." originally i had suspected that, but i thought you had to have public web stats published to be victimized. apparently not! either that, or they cracked the .htaccess password protection, which doesn't seem likely. besides, none of the "hits" are showing up in the webalizer referral logs, so i guess i'm not being used as a DoS zombie, at least. probably they are targeting dyndns and other dynamic dns service's domains, is my guess.
this guy has an interesting solution, i'm going to try it:
okay, on doing more reading, i think that i am probably not compromised at all, but am really the victim of massive "referrer spam."
If you resolve the IP addresses at least one of them is from wgc.net, which appears to be a known spamhause hoster (not that it indicates anything solid, but I doubt those IP's are used for much else than spam). The URI's clearly are spam-related and can be found all over the web in fora, logs and webstats. So your conclusion looks right on the mark to me.
BTW, my proxy remark clearly was wrong, cuz if it was, it should have the URI after the *method* (HEAD, CONNECT, TRACE etc) and not in the *referrer/host* field...
So, one last thing to clear up. The syslogd outage may be a coincidence, but it would be good to find out why it b0rked. Syslog is kinda crucial (as is actually reading log reports).
Originally posted by unSpawn So, one last thing to clear up. The syslogd outage may be a coincidence, but it would be good to find out why it b0rked. Syslog is kinda crucial (as is actually reading log reports).
Thanks unSpawn, I agree. I'm asking about that at the distro forum, b/c it might just be an arch thing.
The only other problem now is that i can't get the .htaccess blocks to work. I installed mod_rewrite and enabled it, but it's not working. It could be the rules, but I don't think so because it failed even with a test.html -> xyz.php, etc. I think I'm just going to start another thread about that if I can't get it working in the next day or two. So case closed here, unless anyone else has any input, or thinks it makes sense to just continue it here. thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.