LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-23-2006, 03:54 AM   #1
Harkov
Member
 
Registered: May 2004
Distribution: Ubuntu 10.04.1 LTS
Posts: 38

Rep: Reputation: 15
[apache] Restart after request without hostname


Hi,

Recently my apache server has been getting a lot of requests for files that don't exist. Just people scanning to see if there are unprotected administration files on my server I guessed. But last night the apache server restarted and the log files showed some strange requests:
Code:
[Sun Oct 22 00:43:41 2006] [error] [client **.118.96.245] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Oct 22 01:40:18 2006] [error] [client **.118.96.245] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Oct 22 01:44:53 2006] [notice] caught SIGTERM, shutting down
[Sun Oct 22 01:46:37 2006] [notice] Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8b PHP/4.4.4 configured -- resuming normal operations
[Sun Oct 22 01:46:37 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
also chkrootkit shows the following:
Code:
Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not infected
however when i do crontab -e as nobody the file is empty.

Do I have to worry about this? I've shut down my apache server for now.
 
Old 10-24-2006, 06:53 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Recently my apache server has been getting a lot of requests for files that don't exist. Just people scanning to see if there are unprotected administration files on my server I guessed.
That is to be expected when you run publicly accessable Internet-facing servers.
Please check if your box and services are up to date and properly hardened.


But last night the apache server restarted and the log files showed some strange requests:
Just a vulnerability scanner called "DFind". It's not related to SANS ISC.
I don't see how the SIGTERM, nearly five minutes later, is related.
You could test if it's reproducable by running the tool yourself if you're comfortable with that.


however when i do crontab -e as nobody the file is empty.
Good.


Do I have to worry about this? I've shut down my apache server for now.
With respect to services: not if you (and, not or): run up to date software, have configured services well and not run them as privileged (root) user, don't run vulnerable services or allow access to what's basically "development" stuff like for instance XAMPP, have good logging and auditing facilities. For more information have a look at the LQ FAQ: Security references, esp. post #6: "Securing networked services".

With respect to the crontab (Chkrootkit-0.47):
Code:
chk_crontab () {
    STATUS=${NOT_INFECTED}
    CRONTAB_I_L="crontab.*666"

    CMD=`loc crontab crontab $pth`

    if [ ! -r ${CMD} ] 
       then
        return ${NOT_FOUND}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${CMD} -l -u nobody"
        return 5
    fi
    if  ${CMD} -l -u nobody >/dev/null 2>&1 ; then 
        printn "Warning: crontab for nobody found, possible Lupper.Worm... "
        if ${CMD} -l -u nobody 2>/dev/null  | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
           then
           STATUS=${INFECTED}
        fi
    fi
    return ${STATUS}
}
You see, as long as the crontabs contents don't contain a string starting with "crontab" and ending with "666" Chkrootkit will not flag it as infected. * This also shows a flaw in any string-based scans. If the string would end in say 667 or any other value there would never be any flag raised. IMNSHO it is *crucial* to set up access rights (for cron that's /etc/cron.{deny,allow}) and have good auditing capabilities like installing, configuring and running Tiger and a file integrity scanner like Aide, Samhain or even tripwire right after O.S. install.
 
Old 11-01-2006, 12:57 AM   #3
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
Harkov: I just got this same notification from the latest version of chkrootkit 5 minutes ago for a fresh install (nothing installed..no ethernet wires plugged, just 'aide' that's it) on my slackware 11.0 too. It appears that I too am going to have to look into unspawn's reccomendation of /etc/cron allow/deny.
 
Old 11-01-2006, 01:56 AM   #4
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
Hi all,

I found a pretty good thread about the type of cron that slack 11.0 uses at linuxpackages.net forums here:
http://www.linuxpackages.net/forum/v...f24ca88d5de612
 
Old 11-01-2006, 04:12 AM   #5
Harkov
Member
 
Registered: May 2004
Distribution: Ubuntu 10.04.1 LTS
Posts: 38

Original Poster
Rep: Reputation: 15
Hey,

Thanks for the replies. Although I've figured out the restart was just me. I got confused because the date was incorect as it was after midnight (doh!). However it shouldnt hurt to up cron security a bit.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache: Forward request to another box? MasterC Linux - Networking 11 12-23-2014 09:37 PM
Apache::Request Module gjagadish Linux - Software 0 08-13-2006 08:43 AM
Apache can't restart Serbulent Linux - Enterprise 2 03-16-2005 02:29 AM
apache not taking external request kevsco77 Linux - Newbie 2 01-12-2005 03:13 PM
Sending hostname along with DHCP request adz Linux - Networking 4 10-23-2003 10:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration