Serious Security Issue?

Networking/Security Forums -> UNIX // GNU/Linux

Author: Mikefc626Location: here PostPosted: Thu Apr 07, 2005 7:06 am    Post subject: Serious Security Issue?
    ----
Hey everybody!
Ok, I know this isn't exactly proper to post a question about an apache server runnin on win2k in the unix/linux section, but unless I'm just plain wrong wasn't it built on linux? Very Happy Also, I didn't see anywhere better to post back on the forum page, so here goes.

I am having some very eyebrow raising activity on my apache web server (windows 2k). I have been following the logs, and there has been alot of stuff going on recently, but none as bad as just a few hours ago. I do not profess to be any kind of security expert, rather I am just now beginning to get into that sort of thing, thus I don't know very much and I haven't gotten far enough into my extra reading to interpret everything before me. Maybe someone here could help. I will provide an overview of the problems below:

POST & CONNECT from an ip in germany, POST referring to his ip, and CONNECT to mx2.mail.yahoo.com (can anyone say mail spam piggyback - yes? )

SEARCH x90\x9\x9\x9......x90\x90 (this particular one is driving me nuts because it shows up ALOT)

numerous ip's from China/Japan/Netherlands that say something to the effect of "POST _vti_bin _vti_aut fp30reg.dll HTTP 1.1" then "GET scripts ..%255c%255c.. winnt system32 cmd.exe? c+dir" 404 323

GET cgi-bin openwebmail openwebmail.pl HTTP 1.0

GET default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (and lots of gobbledy goop after it %ucbd3%, etc.)

more GET scripts, one with root.exe? c+dir

SEARCH x90\x02\xb1\x02\xb1\.....

and now the big finale...
an IP from Canada eh? that is nothing but system32 stuff, _vti_bin, cmd.exe? stuff... thing is there are 65 notations of this kind of crap going on within the span of about 2 minutes

Am I being hacked out the whazzooo or what? If so, or better yet even if not, feel free to whack this b***h around. His IP is 69.156.41.52

Someone please help!!! I am very concerned, and need some serious guidance.

Thanks guys.

Author: Guest PostPosted: Thu Apr 07, 2005 8:14 am    Post subject:
    ----
Most of those appear to be IIS-related traffic, so you shouldn't worry about them. Its normal noise from certain worms and automated scripts, that try to look for old vulnerabilities.

You however might want to check if those CONNECT attempts have resulted in code 200, that means the attempt has been successful. That means that your Apache server acts also as a proxy and allows third parties to use your machine to hide their origins. (404 means page not found)

Also check the contents of your cgi-bin, and do search on the web to find out if you have any vulnerable cgi-scripts. If this is a default install you probably have a few example scripts that can be removed.

Author: Mikefc626Location: here PostPosted: Thu Apr 07, 2005 8:19 am    Post subject:
    ----
Yes, it is a default install, I guess I'll get cracking on the cgi-bin scripts. What should I know for this (it is my first go with apache)? Also, one thing that does ease my mind is checking the error log, which mostly says blah blah script file they were looking for was not found on the server, so it's not all bad, right? But I may be wrong.

Author: Colonel_Panic PostPosted: Thu Apr 07, 2005 3:38 pm    Post subject:
    ----
I see lots of those. I think that default.ida thing is CodeRed, if not some other IIS worm. Buffer overflow with payload it seems. those _vti_whatever directories are found on IIS too. Harmless to apache. Can't remember what the long SEARCH thing is but I've seen it and remember googling for it. Probably some IIS thing too because I can't remember. All in all, common carbage that will fill your logs Evil or Very Mad
The ip you see is most likely a victim too. These worms jump from machine to machine.

Author: RoboGeekLocation: LeRoy, IL PostPosted: Thu Apr 07, 2005 3:55 pm    Post subject:
    ----
Quote:
numerous ip's from China/Japan/Netherlands that say something to the effect of "POST _vti_bin _vti_aut fp30reg.dll HTTP 1.1" then "GET scripts ..%255c%255c.. winnt system32 cmd.exe? c+dir" 404 323

---

more GET scripts, one with root.exe? c+dir



If they failed it looks like kiddies have been playing around a bit, trying to get in. If they succeeded you might have some problems. CodeRed F is also in the wild.

They find you run M$ and just try some IIShacks on you.. not the brightest people.

Here's some of what they are trying..

Front Page Extentions buffer overflow (fp30reg.dll)
http://lists.virus.org/bugtraq-0311/msg00185.html
http://www.securiteam.com/exploits/6A00J1P8UQ.html

cmd.exe exploits
http://www.securityfocus.com/bid/1806/exploit/
http://lists.sans.org/pipermail/unisog/2002-June/004612.php

the other stuff I'll let you figure out Wink

Author: ElToro PostPosted: Fri Apr 08, 2005 12:11 am    Post subject:
    ----
The default configuration for Apache web servers is pretty good but you do want to go through the config file line by line and understand what is going on. Be sure to turn off any features you are not using like the cgi-bin directory, the documentation, directory indexing, etc.

You can also use a mod_security to add another layer of defense to your server. It's sort of an application specific firewall that works with Apache. It can block a lot of the unwanted traffic you are seeing. I've only used it on Linux but there are WIN binaries available.

http://www.modsecurity.org/

Author: Mikefc626Location: here PostPosted: Tue Apr 12, 2005 5:39 am    Post subject:
    ----
Hey guys, thanks for the help. I've been so bogged down with school stuff, group projects, and other crap that I haven't taken the time to reply. I do appreciate the help, especially those links to what they may be trying to accomplish.



Networking/Security Forums -> UNIX // GNU/Linux


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group