Windows executable files upload

newbie14 · 08-30-2014, 10:41 AM

I ran my logwatch for a slight longer days from today to 75 days ago and below is what I see

Code:

915.48 MB transferred in 65987 responses  (1xx 0, 2xx 45543, 3xx 11883, 4xx 8531, 5xx 30) 
    17324 Images (36.38 MB),
        4 Documents (0.00 MB),
        2 Windows executable files (0.00 MB),
    48274 Content pages (879.02 MB),
        3 Redirects (0.00 MB),
        4 Configs (0.00 MB),
       68 mod_proxy requests (0.02 MB),
      308 Other (0.06 MB)

I notice there is these 4 Documents (0.00 MB),
and 2 Windows executable files (0.00 MB should I ignore or take some action on this?

Also is there any remedy for this

Attempts to use known hacks by 9 hosts were logged 21 time(s) from:

Code:

    203.97.21.3: 6 Time(s)
       /\.\./\.\./\.\./ 2 Time(s) 
       passwd$ 2 Time(s) 
       boot\.ini 2 Time(s) 
    210.116.114.212: 6 Time(s)
       /\.\./\.\./\.\./ 2 Time(s) 
       passwd$ 2 Time(s) 
       boot\.ini 2 Time(s) 
    95.48.87.242: 3 Time(s)
       \\x81 3 Time(s) 
    194.208.186.41: 1 Time(s)
       ^null$ 1 Time(s) 
    207.194.255.18: 1 Time(s)
       ^null$ 1 Time(s) 
    50.190.148.124: 1 Time(s)
       ^null$ 1 Time(s) 
    70.159.96.229: 1 Time(s)
       ^null$ 1 Time(s) 
    76.105.212.9: 1 Time(s)
       ^null$ 1 Time(s) 
    98.164.112.93: 1 Time(s)
       ^null$ 1 Time(s)

Bruce Baker · 08-30-2014, 01:33 PM

A windows executable file cannot run on a linux file system. Therefore, the uploader doesn't even bother to try to upload the file. I hope I am making sense to you. The windows executable file is worthless on any linux platform. I will give you my email address, and you may contact me if you need more help.
Bruce Baker email: brucebrookebaker@yahoo.com

Habitual · 08-30-2014, 04:33 PM

Quote:

Originally Posted by newbie14

Also is there any remedy for this

Attempts to use known hacks by 9 hosts were logged 21 time(s) from:

Code:

    203.97.21.3: 6 Time(s)
       /\.\./\.\./\.\./ 2 Time(s) 
       passwd$ 2 Time(s) 
       boot\.ini 2 Time(s) 
    210.116.114.212: 6 Time(s)
       /\.\./\.\./\.\./ 2 Time(s) 
       passwd$ 2 Time(s) 
       boot\.ini 2 Time(s) 
    95.48.87.242: 3 Time(s)
       \\x81 3 Time(s) 
    194.208.186.41: 1 Time(s)
       ^null$ 1 Time(s) 
    207.194.255.18: 1 Time(s)
       ^null$ 1 Time(s) 
    50.190.148.124: 1 Time(s)
       ^null$ 1 Time(s) 
    70.159.96.229: 1 Time(s)
       ^null$ 1 Time(s) 
    76.105.212.9: 1 Time(s)
       ^null$ 1 Time(s) 
    98.164.112.93: 1 Time(s)
       ^null$ 1 Time(s)

fail2ban.

newbie14 · 08-31-2014, 04:25 AM

Dear Bruce Baker,
The why is the logwatch reporting on windows executable files? Is there anything for me to dig further on this?

---------- Post added 08-31-14 at 05:26 PM ----------

Dear Habitual,
Yes I have fail2ban enabled do I need to tweak it further?

unSpawn · 08-31-2014, 06:03 AM

Quote:

Originally Posted by Bruce Baker

A windows executable file cannot run on a linux file system. (..) The windows executable file is worthless on any linux platform.

I would like to remind you that while Linux does not run PE binaries a Linux system can be abused to serve up PE malware so saying it is worthless is only part of the story.

Quote:

Originally Posted by Bruce Baker

Therefore, the uploader doesn't even bother to try to upload the file.

Strictly speaking, unless you have access to this members httpd logs, you have no grounds on which you can base this, which makes it an assumption. Please be careful and factual.

Quote:

Originally Posted by Bruce Baker

I will give you my email address, and you may contact me if you need more help.

You're relatively new here so I caution you to please not do that. Whatever is posted here should be handled here (with the exception of those members I trust to perform incident handling the way I like to see it done).

unSpawn · 08-31-2014, 06:05 AM

Quote:

Originally Posted by newbie14

I ran my logwatch for a slight longer days from today to 75 days ago and below is what I see

...which again isn't the whole picture. Please refer to your prior threads https://www.linuxquestions.org/quest...ed-4175457440/ , https://www.linuxquestions.org/quest...ch-4175462471/ and https://www.linuxquestions.org/quest...ng-4175474409/ and note I explained before to you how you can use logwatch in --debug mode and grep for things to find out what gets processed how.

Bruce Baker · 08-31-2014, 08:30 AM

To UnSpawn: I was careful and factual, because the output of the upload showed 0.0 executable files, which are either no luck trying or didn't even try (moot point!). Don't ride so high and mighty on your silver steed. Some of the rest of us can make educated surmises, too.

Now as to Newbie's question: It would depend entirely on whether or not you are searching for malware in your uploads. Except that there is no file to inspect; so you're back at the original: ignore it! Okay?

newbie14 · 08-31-2014, 09:32 AM

Dear Unspawn,
I ran like this logwatch --detail High --service All --range 'between -75 days and today' --archives --numeric > /usr/local/300814logwatch_75 but now I add this logwatch --detail High --service All --range 'between -75 days and today' --archives --numeric --debug > /usr/local/300814logwatch_75 What option should I put for the debug? Could it be referring to the python .exe like what we discover previously?

Habitual · 08-31-2014, 10:41 AM

Quote:

Originally Posted by newbie14

Dear Habitual,
Yes I have fail2ban enabled do I need to tweak it further?

You can do so by adding something like this to your /etc/fail2ban/jail.local

Code:

[honeypot] 

enabled =  true
filter = honeypot 
action   = iptables[name=honeypot,protocol=all,port="http,https"]
maxretry = 1 
logpath = /path/to/your/access.log
bantime  = 31556926 ; 1 year in seconds

/etc/fail2ban/filter.d/honeypot.conf:

Code:

[Definition]

docroot = /var/www/html
badadmin = boot.ini
# Option:  failregex
# Notes.:  Regexp to match boot.ini
# Values:  TEXT
#

failregex = ^<HOST> .*"GET \/(?:%(badadmin)s).*?"
            ^<HOST> .*"POST \/(?:%(badadmin)s).*?"

ignoreregex =

Make a new /etc/fail2ban/action.d/honeypot.conf file with these contents:

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# $Revision: 658 $
#

[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP


actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
name = default

# Option:  port
port = http

# Option:  protocol
protocol = tcp

chain = INPUT

Test if first using

Code:

fail2ban-regex /path/to/your/access.log /etc/fail2ban/filter.d/honeypot.conf

If that succeeds in showing something along this line/result:
Success, the total number of match is <number>

then you should be good to go.
If you see "Sorry, no match" then 2 things to check,
1.) your access.log file has been rotated or there are no hits.
2.) your /etc/fail2ban/filter.d/honeypot.conf file is poorly configured.

It's python and spacing matters! (I usually line up everything to the right of the the "=" sign using spaces, not tabs. eg:

Code:

failregex = ^<HOST> .*"GET \/(?:%(badadmin)s).*?"
            ^<HOST> .*"POST \/(?:%(badadmin)s).*?"

Adjust accordingly and check again with

Code:

fail2ban-regex /path/to/your/access.log /etc/fail2ban/filter.d/honeypot.conf

Restart fail2ban using

Code:

fail2ban-client reload

If you are on CentOS... you should save your current iptables rules with something like

Code:

sudo iptables-save > /root/safe.rules

before

Code:

fail2ban-client reload

On later Ubuntu hosts, you need iptables-persistant installed to keep your iptables safe across reboots using the iptables-persistent package.

I hope that's helpful.

See my 2 blog posts on the fail2ban subject.

unSpawn · 08-31-2014, 04:38 PM

Quote:

Originally Posted by newbie14

What option should I put for the debug?

None, "--high" is enough.

Quote:

Originally Posted by newbie14

Could it be referring to the python .exe like what we discover previously?

Unlikely. Send a compressed copy of the report to my Gmail address please?

newbie14 · 08-31-2014, 10:19 PM

Dear Unspawn,
I have sent the file accordingly.

sundialsvcs · 09-01-2014, 07:02 AM

Remember also that what a Unix/Linux system says is "a Windows executable file" is ... an educated guess, based on observed data characteristics.

Really, the most important thing to glean from log displays such as this one is: "does this 'ring true?'" "Is this what I would expect to see from this system, if it were being used by authorized users for legitimate business purposes?" If not, then the log has just done its job of being the canary in the coal-mine. It's your job to figure out what the canary meant.

unSpawn · 09-01-2014, 03:39 PM

Quote:

Originally Posted by newbie14

I have sent the file accordingly.

The Logwatch report does give some information, like show the amount of standard probing that's been done, but unfortunately no specifics. If you want to get into this you'll have to search your logs.

newbie14 · 09-02-2014, 12:16 PM

Dear Unspawn,
Which logs should I search and any specific key word or element to look into as particular log. I would like to do if there is anything messy.

unSpawn · 09-02-2014, 04:34 PM

Quote:

Originally Posted by newbie14

Which logs should I search and

Your web servers access logs.

Quote:

Originally Posted by newbie14

any specific key word or element to look into as particular log.

*This asserts logs reside in /var/log/httpd, else substitute path.

Code:

# If you have many large log files check in which logs the term appears (once is enough) and only search those below:
zgrep -m1 -c '.html' /var/log/httpd/access*.[0-9]*.gz|awk -F':' '{if($2 !~ 0) print $1}'
# Go for a simple wide search like 
zgrep -he "(POST|GET)..*\.exe.HTTP\/" /var/log/httpd/access*.[0-9]*.gz

Share results if you want can't make heads nor tails out of it.