LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-30-2006, 11:51 AM   #1
c4onastick
Member
 
Registered: Aug 2006
Distribution: Slackware
Posts: 51

Rep: Reputation: 15
What to do about attempted buffer overflows


Hi, I have a small webserver that I run. I was checking the logs (as all good sysadmins do) and I found what looks to be an attempted buffer overflow attack on my apache webserver. I'm still new to running my own server, what do you usually do when you find this sort of thing? (And can you help me confirm that's what's happened)

tail of the log looks like this:
Code:
67.160.131.187 - - [29/Oct/2006:16:54:01 -0700] "GET / HTTP/1.0" 200 2622
66.54.207.150 - - [29/Oct/2006:17:29:10 -0700] "GET / HTTP/1.1" 200 2622
66.54.207.150 - - [29/Oct/2006:17:29:10 -0700] "GET /style.css HTTP/1.1" 200 2306
66.54.207.150 - - [29/Oct/2006:17:29:10 -0700] "GET /logobas2.jpg HTTP/1.1" 200 9959
66.54.207.150 - - [29/Oct/2006:17:29:10 -0700] "GET /favicon.ico HTTP/1.1" 404 297
67.174.115.21 - - [30/Oct/2006:06:54:33 -0700] "GET / HTTP/1.0" 200 2622
67.174.115.21 - - [30/Oct/2006:06:54:33 -0700] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\$
67.174.115.21 - - [30/Oct/2006:06:55:04 -0700] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 314
67.165.127.238 - - [30/Oct/2006:08:54:06 -0700] "GET / HTTP/1.0" 200 2622
Note: I truncated the "SEARCH /\x90\xc9\xc9\xc9..." line, its much, much longer than that.

I'm also a little unsure how to propperly read this log file. Obviously the requesting IP is first, followed by the date and time, then the action, and then two numbers. The first of which I suspect is the server's response to the request, what is the second?

Do I email this log to my ISP's security branch? (Its comcast, so they probably wont do anything about it) I've checked for the file "/_vti_bin/_vti_aut/fp30reg.dll", I can't find it (using slocate). So I think I'm ok. (That and I think its probabaly most likely a windows binary)

More importantly, (since I'm still learning the ropes) how can I add a cron entry to tail the logs (and perhaps use some regex to filter them slightly) to give me more uptodate (consistent) checks? I also have been using chkrootkit, anyway to automate that check and email it to me also? Any advice would be great. Thanks in advance!

Last edited by c4onastick; 10-30-2006 at 11:56 AM.
 
Old 10-30-2006, 03:34 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
Quote:
Originally Posted by c4onastick
The first of which I suspect is the server's response to the request, what is the second?
Result size (in bytes).

Quote:
Do I email this log to my ISP's security branch? (Its comcast, so they probably wont do anything about it)
If anything, not yours. Attack source's ISP is the right one to contact. That's probably attack on that Windows problem: http://www.osvdb.org/displayvuln.php...&Lookup=Lookup

My (good guess) is that's just a bot trying an IP range. If you're not running Windows, the attack will not work for sure.

Quote:
More importantly, (since I'm still learning the ropes) how can I add a cron entry to tail the logs (and perhaps use some regex to filter them slightly) to give me more uptodate (consistent) checks? I also have been using chkrootkit, anyway to automate that check and email it to me also? Any advice would be great. Thanks in advance!
It depends. There are tools giving you stats, but beeing notified about just every such attempt is way too much - you get many similar ones every day. If you want to trace such things, Snort may be interesting for you.
 
Old 10-30-2006, 03:51 PM   #3
c4onastick
Member
 
Registered: Aug 2006
Distribution: Slackware
Posts: 51

Original Poster
Rep: Reputation: 15
Ok, Thanks! I've heard about snort. My only real security concerns are the two services I have open to the net: apache and ssh. Any tips on securing those?

I did a quick whois on that IP, it happens to be from comcast anyway, I'll give them a call. Why do you think its a bot? (I'm very interested in network security, I'd love to gain some insight into this)
 
Old 11-04-2006, 12:04 PM   #4
daYz
Member
 
Registered: Nov 2003
Distribution: Ubuntu
Posts: 164

Rep: Reputation: 30
http://www.securityfocus.com/infocus/1786

I would not pay much attention to the chrooting part if that would be difficult to follow. It is quite easy to break out to.

If it is all too much then the best advise I can give is that you should keep apache up-to-date.

The easiest to do that is adding the commands:

Code:
apt-get(or aptitude) update
Code:
apt-get/aptitude upgrade
to cron (on Debian) (do "crontab -e" as root)

Looking for updates every half an our would be good:

0 9/30 * * * aptitude update
0 9/31 * * * aptitude upgrade



Logcheck is perfect if you want to check your logs.

On debian:

Code:
apt-get/aptitude install logcheck
For chkrootkit try:

Code:
dpkg-reconfigure chkrootkit
and see if you can supply your email adres then. If that doesn't work you can add this command to cron:

Code:
chkrootkit |mail -s subject email@adress
b.t.w see if you could use the -q switch with chkrootkit. You can read what it does when you run dpkg-reconfigure chkrootkit.

Last edited by daYz; 11-04-2006 at 01:40 PM.
 
Old 11-04-2006, 04:03 PM   #5
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by c4onastick
My only real security concerns are the two services I have open to the net: apache and ssh. Any tips on securing those?
Go thru the following thread

http://www.linuxquestions.org/questi...d.php?t=340366

to secure ssh
 
Old 11-04-2006, 05:31 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I would not pay much attention to the chrooting part if that would be difficult to follow. It is quite easy to break out to.
Actually tried it? Care to substantiate this claim?
 
Old 11-04-2006, 06:01 PM   #7
c4onastick
Member
 
Registered: Aug 2006
Distribution: Slackware
Posts: 51

Original Poster
Rep: Reputation: 15
Excellent, thanks for the links. I was under the impression that chrooting was pretty secure. Am I wrong?
 
Old 11-04-2006, 06:20 PM   #8
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Probably should have added...

Pay only attention to how a person can modify the following:

Code:
/etc/hosts.allow
/etc/hosts.deny
 
Old 11-04-2006, 11:32 PM   #9
daYz
Member
 
Registered: Nov 2003
Distribution: Ubuntu
Posts: 164

Rep: Reputation: 30
I have not tried to break out of chroot myself, but it is explained how it can be done in this book: http://www.amazon.com/Writing-Securi...e=UTF8&s=books

According to the book it can be done on 2.4 and 2.6 kernels and the book also contains code that does it automatically for you.

If you can compile your own kernel I would look at something like Lids, Grsecurity etc. Lids has rules/settings for a whole Debian system on the lids wiki site.

http://www.lids.org

Last edited by daYz; 11-04-2006 at 11:33 PM.
 
Old 11-05-2006, 03:49 AM   #10
daYz
Member
 
Registered: Nov 2003
Distribution: Ubuntu
Posts: 164

Rep: Reputation: 30
I like to add that if apache is up to date you can be pretty sure that it cannot be exploited by buffer overflows etc, until a new vulnerebility in it is found.
When a new vulnerebility is found the code of apache is adjusted so that it will be made impossible to exploit that vulnerebility.
That's why you should update apache as soon as there is an update available. (The same counts for other programs like ssh.)

If you are hacked because of such an exploit or misconfiguration of apache, then things like running apache as an unpriveleged user, etc, become important because they can limit the impact of such an attack.

Regards,

Ben
 
Old 11-05-2006, 10:16 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
@OP: "SEARCH /\x90\xc9\xc9\xc9..."
These are not buffer overflows but search patterns meant for gathering information and finding vulnerable items.
For starters harden your machine properly using general kernel-side features like SELinux or GRSecurity, tools like Tiger, USAT (LSAT) or Bastille-Linux and check out mod_security. If you are worried about BO's then, like Mara said, look at Snort (or Prelude if you fancy something completely different).


More importantly, (since I'm still learning the ropes) how can I add a cron entry to tail the logs (and perhaps use some regex to filter them slightly) to give me more uptodate (consistent) checks?
Check out Logwatch.


@daYz: I have not tried to break out of chroot myself, but it is explained how it can be done in this book: (..) According to the book it can be done on 2.4 and 2.6 kernels and the book also contains code that does it automatically for you.
Just naming a book does not substantiate your claim.
W/o giving details you're spreading FUD.


@OP: I was under the impression that chrooting was pretty secure. Am I wrong?
In general we can say chrooting is secure as long as 1) the application that chroots drops its root account privileges without being able to regain them and 2) as long as the chroot environment does not interact with the parent environment like for instance enabling /proc, mounting FSes inside the chroot and allowing syslog.
The GRSecurity kernel patch adds specific features meant to reinforce chroots and covers all methods to break of of a chroot.


@JockVSJock: Pay only attention to how a person can modify the following
With security you will want to keep in mind single points of failure, so it really is best to use (and, not or) router features, and the local firewall and tcp_wrappers and PAM (where applicable).


@daYz: If you are hacked because of such an exploit or misconfiguration of apache, then things like running apache as an unpriveleged user, etc, become important because they can limit the impact of such an attack.
The webserver should be running as unprivileged user by default. There's no if's. Enhance limiting attack impact by running the process under SELinux or GRSecurity's RBAC.


---
In closing the Linux Security forum has a sticky: the LQ FAQ: Security references. It provides pointers to general security docs (in case you don't know a chroot from a hole in the ground), docs about system hardening and auditing (which everyone should read) and docs about securing services (like post #6).
 
Old 11-05-2006, 10:37 AM   #12
daYz
Member
 
Registered: Nov 2003
Distribution: Ubuntu
Posts: 164

Rep: Reputation: 30
Quote:
Just naming a book does not substantiate your claim.
W/o giving details you're spreading FUD.
Well ok, I have read in that book that it is possible to break out of chroot quite easily. The details are given in that book.
I can't prove that I have read that book.

Last edited by daYz; 11-05-2006 at 10:46 AM.
 
Old 11-05-2006, 08:04 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I can't prove that I have read that book.
Heh. No, you don't need to. You just can not say "It is quite easy to break out to" without giving details. Maybe you can get away with that in other fora and on other topics but not here in LQ's Linux Security forum because we have to deal with facts, not phantoms. Anyone interested in information about what it takes to break out of a chroot could start by reading the GRSecurity docs and search teh intarweb for "breaking out of a chroot jail".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the difference between the free buffer and buffer in the buffer hash queue? Swagata Linux - Enterprise 0 05-25-2006 11:57 PM
static pointers in C++ and buffer overflows santoshraju Programming 6 02-26-2006 11:31 PM
Buffer Overflows question vexer General 8 05-04-2004 08:44 PM
burning cd: buffer overflows in the OS?? drenal Linux - Software 1 01-27-2004 06:23 PM
CERTŪ Advisory CA-2003-01 Buffer Overflows in ISC DHCPD Minires Library Astro Slackware 1 01-21-2003 06:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration