Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just read my apache logs, and it seems that something was looking for some windows exploits on the machine. How much should I expect stuff like this, is this something that is going to happen multiple times in a day, or is this a rarity and a cause for alarm?
It can vary depending on what range of IP addresses you're in, but for the most part you should just get used to it as it's a common thing. You can filter them out, but it's really costly in terms of system resources to do so. I just mostly ignore the windows-related stuff. If you think it's bad now, just wait until the next Microsoft IIs exploit comes out You'll be wishing you could pipe your logs to /dev/null.
Okay, I was just amazed that I was being scanned by nimda in such a short time. I was barely online and the scans started coming in. It seems that they come in every few hours.
Thanks.
Most people don't realize how nasty the 'net can be, so seeing your Apache logs fill with malicious traffic can be a kind of startling at first. You'll notice that some of the worms/viruses have a pretty static level, while others like several of the Code Red worms have engines that only attack hosts on certain parts of the month. It's been awhile, but I think a couple of them will only scan for vulnerable hosts after the 19th or something like that. So on the 19th of every month you'd walking in and see your Apache logs fill with hundreds of the CodeRed trademark XXXXXXXXXXX or NNNNNNNNNNNNN buffer overflow attempts. Kind of amusing looking back on it. Most variants were hard-coded not to spread after a certain date, so you don't see them nearly as much.
But you'll see plenty of IIs exploits, people hunting for open proxies, spiders looking for email addresses, etc. What you'll want to keep you're eyes open for is concerted probing. Someone starting out doing some info and banner-grabbing, then moving on to more malicious things like trying linux and even distro-specific exploits. It can be hard to spot that in the see of noise, and the more proficient the attacker the less obvious it will be. In general though, if you make sure to keep up to date with any patches for Apache and are smart about your systems security overall, you should be alright.
Sure. A scan for nimba would look something like this in your error log:
Code:
[Mon Jan 5 05:11:51 2004] [error] [client 24.2.175.163] File does not exist: /scripts/root.exe
[Mon Jan 5 05:11:52 2004] [error] [client 24.2.175.163] File does not exist: MSADC/root.exe
[Mon Jan 5 05:11:52 2004] [error] [client 24.2.175.163] File does not exist: /c/winnt/system32/cmd.exe
[Mon Jan 5 05:11:53 2004] [error] [client 24.2.175.163] File does not exist: /d/winnt/system32/cmd.exe
[Mon Jan 5 05:11:53 2004] [error] [client 24.2.175.163] File does not exist: /scripts/..%5c../winnt/system32/cmd.exe
[Mon Jan 5 05:11:54 2004] [error] [client 24.2.175.163] File does not exist: /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Mon Jan 5 05:11:55 2004] [error] [client 24.2.175.163] File does not exist: /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Mon Jan 5 05:11:55 2004] [error] [client 24.2.175.163] File does not exist: /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Mon Jan 5 05:11:56 2004] [error] [client 24.2.175.163] File does not exist: /scripts/..Á../winnt/system32/cmd.exe
[Mon Jan 5 05:11:57 2004] [error] [client 24.2.175.163] File does not exist: /scripts/..À¯../winnt/system32/cmd.exe
[Mon Jan 5 05:11:57 2004] [error] [client 24.2.175.163] File does not exist: /scripts/..Á../winnt/system32/cmd.exe
[Mon Jan 5 05:11:59 2004] [error] [client 24.2.175.163] File does not exist: /scripts/..%5c../winnt/system32/cmd.exe
[Mon Jan 5 05:12:00 2004] [error] [client 24.2.175.163] File does not exist: /scripts/..%2f../winnt/system32/cmd.exe
Also other weird trafic shows up in the logs, sucha connections to ports like 1.3.3.7, attempts to use the server as a proxy, long urls.
You kind of can tell if something is seriously probing, the thousands of GET request from nikto are fairly easy to find if someone isn't using evasion detection.
well i get all sort of scans on my server as well every day ... but as i said ... if you keep your software up2 date no need to worry ... i am currently running httpd2.0.48 with php4.3.4 , proftpd 1.2.9 mysql 4.0.17 and openssh 3.7.p2 ... all i need now is to make it stealth ...
Keeping your software updated is by no means the only step you should take in securing your box. Proper firewalling/access control, turning off un-needed services, setiing up a NIDS, and installing a file integrity scanner are all equally important steps in locking down your system.
NIDS is an acronym for Network Intrusions Detection System. These are programs that analyze network traffic in order to detect port scans, attacks and other malicious traffic. In most cases they are simply rule-based and attempt to match traffic to what those rules define as being "bad traffic". They are extremely helpfull in alerting you to the scans and probes that often preceed an attack or system compromse. Some even allow you to dynamically block traffic from a remote host if it detects malicious traffic. I've also seen (but never used) some NIDS which can do dynamic learning of what is "normal" traffic and then alert you when it detects something it considers abnormal (i.e. one of your hosts mysteriously sprouts a FTP server and starts producing Mb of traffic at 2am). There are lots available, with varying amounts of complexity, but some of the more common ones are Snort, and PortSentry.
A file integrity scanner is a piece of software which essentially detects changes in your filesystem. Of course you change your file system just by booting your system, but one best ways to detect compromise is to look for filesystem changes that indicate a rootkit has been installed and your system commands have been replaced with hacked versions that are designed to hide files that a cracker has placed on your system. That's actually how the compromises of Debian, Gentoo, and the FSF servers were discovered and the as of then unknown do_brk() exploit was identified. Usually a file integrity scanner functions by going through your entire system and making a hash of each file which it then enters into an encrypted database. When it performs a scan, it does the same thing but then compares the hash of each file to the hash in the database. Some include the file permisions and alteration dates in the hash as well. There are also a bunch of these available as well: tripwire, AIDE, AFICK, Samhain, etc.
Originally posted by katmai90210 well i get all sort of scans on my server as well every day ... but as i said ... if you keep your software up2 date no need to worry ... i am currently running httpd2.0.48 with php4.3.4 , proftpd 1.2.9 mysql 4.0.17 and openssh 3.7.p2 ... all i need now is to make it stealth ...
Is that a publicly accessible webserver? If yes, then attempting to "stealth" a publicly accessible server is like camoflaging the fort to blend into the mountain yet painting the front gate hot pink. Running publicly accessible services on your computer makes your server visible on the network.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.