Symlink Attack
 

hello..noob here.

I was Symlink attacked overnight last night from 99.248.145.194

It practically brought down the server. I was having load averages over 70.0 on a duel processor server.

But I have my server mostly secured by default. Im running CentOs and Apache 2. Nothing really crazy installed on the server.

I read over the 'Security References' thread a little bit just now...but the enormous amount of links was overwhelming.

Is there a basic way to just scan my server for vulnerabilities of being symlink attacked ?

And is there any easy way to find out which exact file(s)or directory he was messing around with ?

I appreciate it,

mike

In order for a symlink attack to be successful, the attacker must already have local access to your computer. What indication of an attack do you have?

If, in fact, it is a symlink attack, you'll need to figure out how they got into your system in the first place -- you were compromised before that attack.

They were just apache http requests showing up on TOP command though. port 80.

The tech guy I was on the phone with said they were just trying to shut me down from outside. Didnt mention anything about internal access.

maybe a Dos attack could show up as a Symlink attack ? I believe it was a netstat command I ran that initially indicated something with Symlink.

http://www.infosecwriters.com/texts....display&id=159

I don't think the attack you experienced was a symlink attack. I'm gonna have to agree with Matir...you either have a malicious user, someone from the outside has access, or you've some symlinked content within your webserver directory that you should maybe unlink.

Interesting link unixfool..thx.

Near the bottom it recommends-


Is there a certain program I need to use to scan if I have symlinks / hardlinks or some other vulnerabilities on the server? This is my first time have this issue. I've got a pretty strict firewall as is. So it shouldnt look too bad...hopefully


These are the only other logs I can tie this in with..that occured around the same time last night.

var/log/httpd/access_log -


It was a ton more then that...that was just a sample.

All this 403 probably means he was trying to get in but couldnt ?

And is there an easy way to have my server email me if load averages go above a certain amount ? Im running Plesk 9.0 and have full root access.

I appreciate it much guys...Im starting to become suspicious of even the Tech guys I allow access to my server. One of the reasons why I signed up here. hehe.

The log snip you provided shows that someone is just trying to access the root page.

Also, http://wiki.apache.org/httpd/InternalDummyConnection explains some things. Based on this page's explanation, this is a non-event. That doesn't explain your extremely high load averages, though.

Also, see http://www.linuxquestions.org/questi...ection-506054/

What gave you the impression that 99.248.145.194 is involved? The source of all those requests is ::1, the IPv6 loopback interface.

When I ran "netstat -an | less" several times while the attack was occuring...that was the Only IP addresses showing up the whole time. All the way down the list. Even "netstat -an" . same thing.

Then if I ran TOP immediately after, the whole putty display would be completely full of apache http requests. massive amounts of requests and cpu usuage.

What do you suspect the ::1 had to do with it ? maybe he was unaware the file he was trying to access was mod-rewrite or something?

I been google'ing today to find a way to email me when server loads go above a certain number and I cant find one method to do it. Can someone please direct me to something ? If it happens again overnight, i'd like to be alerted.

My bad, I got the term wrong.

I got SYN flood'd last night. Not a symlink attack. Confirmed with tech support just now.

I found a script to do what I need to do. (email me when server reaches a certain limit)

https://forums.misdivision.com/showthread.php?t=703

anybody ever try this one ?

which is the root Script folder on a linux ? or the general path ? (this is something I never needed to use in the past..but will need now)

That script checks server load. That has nothing to do with a SYN flood. If you wish to detect SYN flooding, you basically just need to script a netstat check for the amount of half-open connections (SYN_RECV). If you wish to stop SYN flooding from happening, you basically just need to enable TCP SYN cookies:

Yeah, but i'd rather just be notified by email whenever my server load is above normal. Which can help me diagnose more then just a SynFlood. Plus that TCP Syn Cookies has some drawbacks of its own. Especially considering the rare amount of times it occurs.

Any advice on installing that script? Should I just install it somewhere in /etc/ ?

There seems to be some miscommunication here. Once again: A SYN flood doesn't cause your server load to spike. Hence, that script would be useless for detecting a SYN flood. While it's true that issuing TCP SYN cookies has its drawbacks, it's not like you have much of a choice during an attack. If you script the netstat check, you can make it so that TCP SYN cookies are only enabled when a SYN flood is actually taking place. I have no idea why your tech support would say that you were under a SYN flood based on the symptoms you've described here (none of which match a SYN flood).

Using a script to email you an alert when server load anomalies are detected is great, it's just that you should not be fooled into thinking it's gonna do anything for you as far a SYN flooding is concerned. One thing has nothing to do with the other. When you get SYN flooded, there won't be any load spike, hence no email alert, and consequently no countermeasures. So you will end-up in a denial-of-service situation which you could have mitigated had you used the right tool for the job. As for "installing" the server load script, you can pretty much place it anywhere you wish as long as the ownership and permissions on the file (and its parent directory) are sane (/etc is just fine).

Dude, if I put the script warn level to send the email out...when my 5 minute load average hits above 1.50 , im sure if a syn flood was occuring then, the load average would go up atleast a little. My average load almost never even goes above 0.40 .

http://en.wikipedia.org/wiki/SYN_flood


after reading that, you cant tell me the server load average wont go up at all.

My server was never shut down during that time..Putty and TOP command were available the whole time. so if I had the script up then, it would of alerted me.
although the load averages were over 70.0 at times during the attack..

It hasnt happened even once since. when I why I still think it was a syn flood.

This type of attack has NOTHING to do with server load. I really don't think your load is going to change all that much between before and during a syn flood.

If you want a true assessment of a syn flood, try it with something like a vmware host. In fact, try it with two hosts...one being the attacker and one being the target. Find a syn flood tool and attack the target host and monitor the load of the server.

Syn floods consume network stack resources, not service or host-level resources or even hardware-based resources such as CPU and memory.

I really don't think what you saw in your logs was anywhere near what you are assuming. If you think otherwise, you need to provide more data than you have provived thus far. If that's all you have, that still doesn't mean that you were syn flooded or symlink attacked. If I were you I'd check things such as the syslog logs to ensure the server wasn't misconfigured. This sounds more and more like a misconfig and not an actual attack.

Depending on the level of logging, a SYN flood or other request flood could cause staggering disk I/O trying to keep up with logging the requests, which would result in very high load average and sluggish responses. I was once troubleshooting a Linux system that was responding very slowly despite not handling unusual amounts of network traffic. The cause turned out to be someone had enabled iptables logging for every packet and it was logging to local disk. Disabling iptables logging took the load from 27 to 3.