LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-31-2009, 10:38 AM   #1
mike2010
Member
 
Registered: Jan 2009
Posts: 132

Rep: Reputation: 15
Symlink Attack


hello..noob here.

I was Symlink attacked overnight last night from 99.248.145.194

It practically brought down the server. I was having load averages over 70.0 on a duel processor server.

But I have my server mostly secured by default. Im running CentOs and Apache 2. Nothing really crazy installed on the server.

I read over the 'Security References' thread a little bit just now...but the enormous amount of links was overwhelming.

Is there a basic way to just scan my server for vulnerabilities of being symlink attacked ?

And is there any easy way to find out which exact file(s)or directory he was messing around with ?

I appreciate it,

mike
 
Old 01-31-2009, 11:14 AM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
In order for a symlink attack to be successful, the attacker must already have local access to your computer. What indication of an attack do you have?

If, in fact, it is a symlink attack, you'll need to figure out how they got into your system in the first place -- you were compromised before that attack.
 
Old 01-31-2009, 01:30 PM   #3
mike2010
Member
 
Registered: Jan 2009
Posts: 132

Original Poster
Rep: Reputation: 15
They were just apache http requests showing up on TOP command though. port 80.

The tech guy I was on the phone with said they were just trying to shut me down from outside. Didnt mention anything about internal access.

maybe a Dos attack could show up as a Symlink attack ? I believe it was a netstat command I ran that initially indicated something with Symlink.
 
Old 01-31-2009, 02:34 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
http://www.infosecwriters.com/texts....display&id=159

I don't think the attack you experienced was a symlink attack. I'm gonna have to agree with Matir...you either have a malicious user, someone from the outside has access, or you've some symlinked content within your webserver directory that you should maybe unlink.

Last edited by unixfool; 01-31-2009 at 02:35 PM.
 
Old 01-31-2009, 03:28 PM   #5
mike2010
Member
 
Registered: Jan 2009
Posts: 132

Original Poster
Rep: Reputation: 15
Interesting link unixfool..thx.

Near the bottom it recommends-


Quote:
- Perform checks on files to be handled.
a) Check for existance of file.
b) Check for symlinks
c) Check for hardlinks
d) etc.
Is there a certain program I need to use to scan if I have symlinks / hardlinks or some other vulnerabilities on the server? This is my first time have this issue. I've got a pretty strict firewall as is. So it shouldnt look too bad...hopefully


These are the only other logs I can tie this in with..that occured around the same time last night.

var/log/httpd/access_log -


Quote:
::1 - - [31/Jan/2009:01:33:17 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:33:18 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:33:19 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:33:20 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:33:21 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:33:22 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:33:23 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:49:03 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:49:13 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:49:17 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:49:17 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:49:18 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:49:18 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:49:18 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [31/Jan/2009:01:49:29 -0500] "GET / HTTP/1.0" 403 5043 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
It was a ton more then that...that was just a sample.

All this 403 probably means he was trying to get in but couldnt ?

And is there an easy way to have my server email me if load averages go above a certain amount ? Im running Plesk 9.0 and have full root access.

I appreciate it much guys...Im starting to become suspicious of even the Tech guys I allow access to my server. One of the reasons why I signed up here. hehe.
 
Old 01-31-2009, 03:34 PM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
The log snip you provided shows that someone is just trying to access the root page.

Also, http://wiki.apache.org/httpd/InternalDummyConnection explains some things. Based on this page's explanation, this is a non-event. That doesn't explain your extremely high load averages, though.

Also, see http://www.linuxquestions.org/questi...ection-506054/

Last edited by unixfool; 01-31-2009 at 03:35 PM.
 
Old 01-31-2009, 03:52 PM   #7
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
What gave you the impression that 99.248.145.194 is involved? The source of all those requests is ::1, the IPv6 loopback interface.
 
Old 01-31-2009, 11:31 PM   #8
mike2010
Member
 
Registered: Jan 2009
Posts: 132

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Matir View Post
What gave you the impression that 99.248.145.194 is involved? The source of all those requests is ::1, the IPv6 loopback interface.
When I ran "netstat -an | less" several times while the attack was occuring...that was the Only IP addresses showing up the whole time. All the way down the list. Even "netstat -an" . same thing.

Then if I ran TOP immediately after, the whole putty display would be completely full of apache http requests. massive amounts of requests and cpu usuage.

What do you suspect the ::1 had to do with it ? maybe he was unaware the file he was trying to access was mod-rewrite or something?

I been google'ing today to find a way to email me when server loads go above a certain number and I cant find one method to do it. Can someone please direct me to something ? If it happens again overnight, i'd like to be alerted.
 
Old 02-01-2009, 02:14 AM   #9
mike2010
Member
 
Registered: Jan 2009
Posts: 132

Original Poster
Rep: Reputation: 15
My bad, I got the term wrong.

I got SYN flood'd last night. Not a symlink attack. Confirmed with tech support just now.

I found a script to do what I need to do. (email me when server reaches a certain limit)

https://forums.misdivision.com/showthread.php?t=703

anybody ever try this one ?

which is the root Script folder on a linux ? or the general path ? (this is something I never needed to use in the past..but will need now)
 
Old 02-01-2009, 03:08 AM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by mike2010 View Post
My bad, I got the term wrong.

I got SYN flood'd last night. Not a symlink attack. Confirmed with tech support just now.

I found a script to do what I need to do. (email me when server reaches a certain limit)

https://forums.misdivision.com/showthread.php?t=703

anybody ever try this one ?

which is the root Script folder on a linux ? or the general path ? (this is something I never needed to use in the past..but will need now)
That script checks server load. That has nothing to do with a SYN flood. If you wish to detect SYN flooding, you basically just need to script a netstat check for the amount of half-open connections (SYN_RECV). If you wish to stop SYN flooding from happening, you basically just need to enable TCP SYN cookies:
Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Last edited by win32sux; 02-01-2009 at 03:12 AM.
 
Old 02-04-2009, 01:18 PM   #11
mike2010
Member
 
Registered: Jan 2009
Posts: 132

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
That script checks server load. That has nothing to do with a SYN flood. If you wish to detect SYN flooding, you basically just need to script a netstat check for the amount of half-open connections (SYN_RECV). If you wish to stop SYN flooding from happening, you basically just need to enable TCP SYN cookies:
Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Yeah, but i'd rather just be notified by email whenever my server load is above normal. Which can help me diagnose more then just a SynFlood. Plus that TCP Syn Cookies has some drawbacks of its own. Especially considering the rare amount of times it occurs.

Any advice on installing that script? Should I just install it somewhere in /etc/ ?

Last edited by mike2010; 02-04-2009 at 01:20 PM.
 
Old 02-04-2009, 03:23 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by mike2010 View Post
Yeah, but i'd rather just be notified by email whenever my server load is above normal. Which can help me diagnose more then just a SynFlood. Plus that TCP Syn Cookies has some drawbacks of its own. Especially considering the rare amount of times it occurs.

Any advice on installing that script? Should I just install it somewhere in /etc/ ?
There seems to be some miscommunication here. Once again: A SYN flood doesn't cause your server load to spike. Hence, that script would be useless for detecting a SYN flood. While it's true that issuing TCP SYN cookies has its drawbacks, it's not like you have much of a choice during an attack. If you script the netstat check, you can make it so that TCP SYN cookies are only enabled when a SYN flood is actually taking place. I have no idea why your tech support would say that you were under a SYN flood based on the symptoms you've described here (none of which match a SYN flood).

Using a script to email you an alert when server load anomalies are detected is great, it's just that you should not be fooled into thinking it's gonna do anything for you as far a SYN flooding is concerned. One thing has nothing to do with the other. When you get SYN flooded, there won't be any load spike, hence no email alert, and consequently no countermeasures. So you will end-up in a denial-of-service situation which you could have mitigated had you used the right tool for the job. As for "installing" the server load script, you can pretty much place it anywhere you wish as long as the ownership and permissions on the file (and its parent directory) are sane (/etc is just fine).

Last edited by win32sux; 02-04-2009 at 03:37 PM.
 
Old 02-04-2009, 05:41 PM   #13
mike2010
Member
 
Registered: Jan 2009
Posts: 132

Original Poster
Rep: Reputation: 15
Dude, if I put the script warn level to send the email out...when my 5 minute load average hits above 1.50 , im sure if a syn flood was occuring then, the load average would go up atleast a little. My average load almost never even goes above 0.40 .

http://en.wikipedia.org/wiki/SYN_flood


Quote:
If these half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Once all resources set aside for half-open connections are reserved, no new connections (legitimate or not) can be made, resulting in denial of service. Some systems may malfunction badly or even crash if other operating system functions are starved of resources this way.
after reading that, you cant tell me the server load average wont go up at all.

My server was never shut down during that time..Putty and TOP command were available the whole time. so if I had the script up then, it would of alerted me.
although the load averages were over 70.0 at times during the attack..

It hasnt happened even once since. when I why I still think it was a syn flood.
 
Old 02-04-2009, 06:38 PM   #14
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by mike2010 View Post
Dude, if I put the script warn level to send the email out...when my 5 minute load average hits above 1.50 , im sure if a syn flood was occuring then, the load average would go up atleast a little. My average load almost never even goes above 0.40 .

http://en.wikipedia.org/wiki/SYN_flood

after reading that, you cant tell me the server load average wont go up at all.

My server was never shut down during that time..Putty and TOP command were available the whole time. so if I had the script up then, it would of alerted me.
although the load averages were over 70.0 at times during the attack..

It hasnt happened even once since. when I why I still think it was a syn flood.
This type of attack has NOTHING to do with server load. I really don't think your load is going to change all that much between before and during a syn flood.

If you want a true assessment of a syn flood, try it with something like a vmware host. In fact, try it with two hosts...one being the attacker and one being the target. Find a syn flood tool and attack the target host and monitor the load of the server.

Syn floods consume network stack resources, not service or host-level resources or even hardware-based resources such as CPU and memory.

I really don't think what you saw in your logs was anywhere near what you are assuming. If you think otherwise, you need to provide more data than you have provived thus far. If that's all you have, that still doesn't mean that you were syn flooded or symlink attacked. If I were you I'd check things such as the syslog logs to ensure the server wasn't misconfigured. This sounds more and more like a misconfig and not an actual attack.
 
Old 02-04-2009, 06:43 PM   #15
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Depending on the level of logging, a SYN flood or other request flood could cause staggering disk I/O trying to keep up with logging the requests, which would result in very high load average and sluggish responses. I was once troubleshooting a Linux system that was responding very slowly despite not handling unusual amounts of network traffic. The cause turned out to be someone had enabled iptables logging for every packet and it was logging to local disk. Disabling iptables logging took the load from 27 to 3.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Would a symlink help ? budword Linux - Software 4 07-11-2007 12:47 PM
Symlink Fredde87 Linux - General 14 09-30-2005 08:06 PM
symlink mikedelo Linux - Software 2 03-28-2004 12:32 PM
symlink evannextel Linux - Newbie 1 09-17-2003 03:54 PM
Symlink Mestax Linux - Newbie 3 09-04-2003 12:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration