• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Serious Security Issue?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
Mikefc626
Just Arrived
Just Arrived


Joined: 07 Apr 2005
Posts: 0
Location: here

Offline

PostPosted: Thu Apr 07, 2005 7:06 am    Post subject: Serious Security Issue? Reply with quote

Hey everybody!
Ok, I know this isn't exactly proper to post a question about an apache server runnin on win2k in the unix/linux section, but unless I'm just plain wrong wasn't it built on linux? Very Happy Also, I didn't see anywhere better to post back on the forum page, so here goes.

I am having some very eyebrow raising activity on my apache web server (windows 2k). I have been following the logs, and there has been alot of stuff going on recently, but none as bad as just a few hours ago. I do not profess to be any kind of security expert, rather I am just now beginning to get into that sort of thing, thus I don't know very much and I haven't gotten far enough into my extra reading to interpret everything before me. Maybe someone here could help. I will provide an overview of the problems below:

POST & CONNECT from an ip in germany, POST referring to his ip, and CONNECT to mx2.mail.yahoo.com (can anyone say mail spam piggyback - yes? )

SEARCH x90\x9\x9\x9......x90\x90 (this particular one is driving me nuts because it shows up ALOT)

numerous ip's from China/Japan/Netherlands that say something to the effect of "POST _vti_bin _vti_aut fp30reg.dll HTTP 1.1" then "GET scripts ..%255c%255c.. winnt system32 cmd.exe? c+dir" 404 323

GET cgi-bin openwebmail openwebmail.pl HTTP 1.0

GET default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (and lots of gobbledy goop after it %ucbd3%, etc.)

more GET scripts, one with root.exe? c+dir

SEARCH x90\x02\xb1\x02\xb1\.....

and now the big finale...
an IP from Canada eh? that is nothing but system32 stuff, _vti_bin, cmd.exe? stuff... thing is there are 65 notations of this kind of crap going on within the span of about 2 minutes

Am I being hacked out the whazzooo or what? If so, or better yet even if not, feel free to whack this b***h around. His IP is 69.156.41.52

Someone please help!!! I am very concerned, and need some serious guidance.

Thanks guys.
Back to top
View user's profile Send private message Send e-mail
Guest







PostPosted: Thu Apr 07, 2005 8:14 am    Post subject: Reply with quote

Most of those appear to be IIS-related traffic, so you shouldn't worry about them. Its normal noise from certain worms and automated scripts, that try to look for old vulnerabilities.

You however might want to check if those CONNECT attempts have resulted in code 200, that means the attempt has been successful. That means that your Apache server acts also as a proxy and allows third parties to use your machine to hide their origins. (404 means page not found)

Also check the contents of your cgi-bin, and do search on the web to find out if you have any vulnerable cgi-scripts. If this is a default install you probably have a few example scripts that can be removed.
Back to top
Mikefc626
Just Arrived
Just Arrived


Joined: 07 Apr 2005
Posts: 0
Location: here

Offline

PostPosted: Thu Apr 07, 2005 8:19 am    Post subject: Reply with quote

Yes, it is a default install, I guess I'll get cracking on the cgi-bin scripts. What should I know for this (it is my first go with apache)? Also, one thing that does ease my mind is checking the error log, which mostly says blah blah script file they were looking for was not found on the server, so it's not all bad, right? But I may be wrong.
Back to top
View user's profile Send private message Send e-mail
Colonel_Panic
Just Arrived
Just Arrived


Joined: 13 May 2004
Posts: 2


Offline

PostPosted: Thu Apr 07, 2005 3:38 pm    Post subject: Reply with quote

I see lots of those. I think that default.ida thing is CodeRed, if not some other IIS worm. Buffer overflow with payload it seems. those _vti_whatever directories are found on IIS too. Harmless to apache. Can't remember what the long SEARCH thing is but I've seen it and remember googling for it. Probably some IIS thing too because I can't remember. All in all, common carbage that will fill your logs Evil or Very Mad
The ip you see is most likely a victim too. These worms jump from machine to machine.
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Thu Apr 07, 2005 3:55 pm    Post subject: Reply with quote

Quote:
numerous ip's from China/Japan/Netherlands that say something to the effect of "POST _vti_bin _vti_aut fp30reg.dll HTTP 1.1" then "GET scripts ..%255c%255c.. winnt system32 cmd.exe? c+dir" 404 323

---

more GET scripts, one with root.exe? c+dir



If they failed it looks like kiddies have been playing around a bit, trying to get in. If they succeeded you might have some problems. CodeRed F is also in the wild.

They find you run M$ and just try some IIShacks on you.. not the brightest people.

Here's some of what they are trying..

Front Page Extentions buffer overflow (fp30reg.dll)
http://lists.virus.org/bugtraq-0311/msg00185.html
http://www.securiteam.com/exploits/6A00J1P8UQ.html

cmd.exe exploits
http://www.securityfocus.com/bid/1806/exploit/
http://lists.sans.org/pipermail/unisog/2002-June/004612.php

the other stuff I'll let you figure out Wink
Back to top
View user's profile Send private message Visit poster's website
ElToro
Just Arrived
Just Arrived


Joined: 21 Jun 2004
Posts: 0


Offline

PostPosted: Fri Apr 08, 2005 12:11 am    Post subject: Reply with quote

The default configuration for Apache web servers is pretty good but you do want to go through the config file line by line and understand what is going on. Be sure to turn off any features you are not using like the cgi-bin directory, the documentation, directory indexing, etc.

You can also use a mod_security to add another layer of defense to your server. It's sort of an application specific firewall that works with Apache. It can block a lot of the unwanted traffic you are seeing. I've only used it on Linux but there are WIN binaries available.

http://www.modsecurity.org/
Back to top
View user's profile Send private message
Mikefc626
Just Arrived
Just Arrived


Joined: 07 Apr 2005
Posts: 0
Location: here

Offline

PostPosted: Tue Apr 12, 2005 5:39 am    Post subject: Reply with quote

Hey guys, thanks for the help. I've been so bogged down with school stuff, group projects, and other crap that I haven't taken the time to reply. I do appreciate the help, especially those links to what they may be trying to accomplish.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register