Date: Mon, 24 Sep 2001 06:01:23 +0200 (MET DST) From: Mail Delivery Subsystem <MAILER-DAEMON@au.dk> To: <security@FreeBSD.ORG> Subject: Warning: could not send message for past 4 hours Message-ID: <200109240401.f8O3fAi21562@au.dk>
next in thread | raw e-mail | index | archive | help
This is a MIME-encapsulated message --f8O3fAi21562.1001304083/au.dk ********************************************** ** THIS IS A WARNING MESSAGE ONLY ** ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** ********************************************** The original message was received at Mon, 24 Sep 2001 01:56:14 +0200 (MET DST) from mbone.iie.cnam.fr [192.70.23.180] ----- The following addresses had transient non-fatal errors ----- <FARRET@DAIMI.AU.DK> ----- Transcript of session follows ----- <FARRET@DAIMI.AU.DK>... Deferred: Connection refused by daimi.au.dk. Warning: message still undelivered after 4 hours Will keep trying until message is 5 days old --f8O3fAi21562.1001304083/au.dk Content-Type: message/delivery-status Reporting-MTA: dns; au.dk Arrival-Date: Mon, 24 Sep 2001 01:56:14 +0200 (MET DST) Final-Recipient: RFC822; FARRET@daimi.au.dk Action: delayed Status: 4.4.1 Remote-MTA: DNS; daimi.au.dk Last-Attempt-Date: Mon, 24 Sep 2001 06:01:23 +0200 (MET DST) Will-Retry-Until: Sat, 29 Sep 2001 01:56:14 +0200 (MET DST) --f8O3fAi21562.1001304083/au.dk Content-Type: message/rfc822 Return-Path: <security@FreeBSD.ORG> Received: from mbone.iie.cnam.fr (mbone.iie.cnam.fr [192.70.23.180]) by au.dk (8.11.4/8.11.4) with ESMTP id f8NNuD517047 for <FARRET@DAIMI.AU.DK>; Mon, 24 Sep 2001 01:56:14 +0200 (MET DST) Received: from rubis.iie.cnam.fr (smtp_relay@rubis.iie.cnam.fr [192.70.23.3]) by mbone.iie.cnam.fr (8.9.3/8.9.3) with SMTP id CAA21526 for <FARRET@DAIMI.AU.DK>; Mon, 24 Sep 2001 02:06:14 +0200 (MET DST) From: security@FreeBSD.ORG Received: by rubis.iie.cnam.fr (MX V4.2 VAX) id 23; Mon, 24 Sep 2001 02:06:08 MET_DST Date: Mon, 24 Sep 2001 02:06:07 MET_DST To: freebsd-security-digest@FreeBSD.ORG Message-ID: <00A02825.EFF8D7F0.23@rubis.iie.cnam.fr> Subject: security-digest V5 #289 Return-Path: <owner-freebsd-security-digest@FreeBSD.ORG> Received: from mbone.iie.cnam.fr by rubis.iie.cnam.fr (MX V4.2 VAX) with SMTP; Mon, 24 Sep 2001 02:06:04 MET_DST Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by mbone.iie.cnam.fr (8.9.3/8.9.3) with ESMTP id CAA21501 for <farret@iie.cnam.fr>; Mon, 24 Sep 2001 02:05:05 +0200 (MET DST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 9307355EDB; Sun, 23 Sep 2001 17:04:47 -0700 (PDT) (envelope-from owner-freebsd-security-digest@FreeBSD.ORG) Received: by hub.freebsd.org (Postfix, from userid 538) id 2F73A37B417; Sun, 23 Sep 2001 17:04:38 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id 4BF4C2E8040; Sun, 23 Sep 2001 17:04:38 -0700 (PDT) Received: by hub.freebsd.org (bulk_mailer v1.12); Sun, 23 Sep 2001 17:04:38 -0700 From: owner-freebsd-security-digest@FreeBSD.ORG (security-digest) To: freebsd-security-digest@FreeBSD.ORG Subject: security-digest V5 #289 Reply-To: security@FreeBSD.ORG Sender: owner-freebsd-security-digest@FreeBSD.ORG Precedence: bulk Message-ID: <bulk.57994.20010923170438@hub.freebsd.org> Date: Sun, 23 Sep 2001 17:04:38 -0700 (PDT) security-digest Sunday, September 23 2001 Volume 05 : Number 289 In this issue: Re: ~/.login_conf disabling exact reasons wanted Re: New worm protection Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) Re: New worm protection Re: ~/.login_conf disabling exact reasons wanted Re: New worm protection Identify this exploit Re: Identify this exploit Re: Identify this exploit Re: New worm protection Re: New worm protection Re: New worm protection Re: New worm protection Re: New worm protection Re: New worm protection Re: ~/.login_conf disabling exact reasons wanted Re: New worm protection Re: New worm protection Re: New worm protection Re: Policy based routing/restricting access __inside__ ones net.. Re: New worm protection Re: New worm protection Re: New worm protection Re: New worm protection Re: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) ---------------------------------------------------------------------- Date: Sun, 23 Sep 2001 13:38:59 +0200 From: Alexander Langer <alex@big.endian.de> Subject: Re: ~/.login_conf disabling exact reasons wanted Thus spake Jordan Hubbard (jkh@FreeBSD.org): > The bug doesn't exist in 4.4 either. It was fixed prior to release. > Doesn't anyone read commit mail anymore?! :-( Yes, I do, but FreeBSD was 4.4 even before it was fixed. OTOH, the report on bugtraq also mentions, that 4.4-RELEASE isn't affected. Alex ------------------------------ Date: Sun, 23 Sep 2001 08:07:59 -0400 From: "Jonathan M. Slivko" <jslivko@4evermail.com> Subject: Re: New worm protection The best kind of protection I can offer is to write a script that will scan the apache logs and use ipfw to ban whole class C's that generate a 404. That may be a little extreme, but it works. I will try and get a copy of the code to you later. -- Jonathan - ----- Original Message ----- From: "Chris Byrnes" <chris@JEAH.net> To: <security@freebsd.org> Sent: Thursday, September 20, 2001 10:07 AM Subject: New worm protection > Has anyone written an easy-to-use ipfw rule or some kind of script that will > help with this new worm? > > I have restricted Apache to just listen to my main two web IPs instead of > all of the IPs (I have > hundreds of domains and each of them previously had its own IP for different > reasons), and > that's cut down the bandwidth use in half, but I'm still about double what > my daily normal bandwidth > usage is. > > Frustration is high, and money issues are going to surface soon. Any help > would be appreciated. > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------------------------------ Date: Sun, 23 Sep 2001 16:13:57 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> Subject: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > I'll work on the proper fix tomorrow. Planned for commit. Please, review and/or comment. - --- login_cap.c.old Sun Sep 23 16:09:04 2001 +++ login_cap.c Sun Sep 23 16:06:19 2001 @@ -184,18 +184,17 @@ login_cap_t *lc; if ((lc = malloc(sizeof(login_cap_t))) != NULL) { - - int r, i = 0; + int r, me, i = 0; uid_t euid = 0; gid_t egid = 0; const char *msg = NULL; - - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir; + const char *dir; char userpath[MAXPATHLEN]; static char *login_dbarray[] = { NULL, NULL, NULL }; - -#ifndef _FILE_LOGIN_CONF_WORKS - - dir = NULL; - -#endif + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; /* * Switch to user mode before checking/reading its ~/.login_conf * - some NFSes have root read access disabled. @@ -215,7 +214,7 @@ if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1) i++; /* only use 'secure' data */ } - - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) + if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) login_dbarray[i++] = _PATH_LOGIN_CONF; login_dbarray[i] = NULL; @@ -227,7 +226,7 @@ switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { case -1: /* Failed, entry does not exist */ - - if (strcmp(name, LOGIN_MECLASS) == 0) + if (me) break; /* Don't retry default on 'me' */ if (i == 0) r = -1; - -- Andrey A. Chernov http://ache.pp.ru/ ------------------------------ Date: Sun, 23 Sep 2001 06:07:01 -0700 From: Greg Shenaut <greg@bogslab.ucdavis.edu> Subject: Re: New worm protection In message <200109230836.f8N8akx29012@faith.cs.utah.edu>, David G Andersen cleopede: >I like the following >simple script, which is what I run on my webservers. > [script using a sleep(5) for delay purposes] > >NIMDA doesn't hang out for very long waiting for a response >to the script headers, so a labrea-tarpit like approach won't >actually be particularly effective. The sleep(5) will slow >it down a little bit, and the exit(0) will make it >return with no data sent back, not even a 404. Which >will help a bit on the outbound bandwidth, but, of course >won't help on the inbound. Others have posted scripts to >NANOG (see http://www.nanog.org/ and check the archive) >that will automatically trigger ipfw / ipchains additions, >but, as always, be particularly careful with those. What would be the effect of having the web server ignore (as in, make no response at all to) *any* attempt to GET a nonexistent file? It seems to me that this would delay things maximally for the attacker with the least effort at the server end. But I am concerned about the effect on innocent mistypers and web crawling search engines (but not too concerned, frankly). Greg Shenaut ------------------------------ Date: Sun, 23 Sep 2001 17:11:00 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> Subject: Re: ~/.login_conf disabling exact reasons wanted On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > > Sorry for all that buzz, I am finally able to reproduce it on -current. > Details: there is no security hole under -current, just broken functionality. You can specify copyright=/etc/passwd with passwd output (it is broken functionality), but specifying copyright=/etc/master.passwd outputs nothing. See my patch posted today fixing this. - -- Andrey A. Chernov http://ache.pp.ru/ ------------------------------ Date: Sun, 23 Sep 2001 16:00:40 +0100 (BST) From: freebsd-security@rikrose.net Subject: Re: New worm protection On Sun, 23 Sep 2001 ark@eltex.ru wrote: > Is there a way to send a command to worm to shut it (or just a machine) down? > I remember Code Red installed some kind of backdoor that allowed remote control > without trying the whole bunch of exploits, does NIMDA have such a 'feature'? Allegedly, yes, it installs a passwordless admin account. There is information "out there", aparently, although, I haven't been bothered to look it up, so I may be wrong. - -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net ------------------------------ Date: Sun, 23 Sep 2001 12:27:47 -0400 From: Pat Wendorf <beholder@unios.dhs.org> Subject: Identify this exploit I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf option. Many of which, for the past few months has been connection attempts to TCP port 2000, as seen here: > Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 I'm not much up on my exploits, which one is this? - -- Pat Wendorf ------------------------------ Date: Sun, 23 Sep 2001 11:30:12 -0500 From: Christopher Schulte <christopher@schulte.org> Subject: Re: Identify this exploit At 12:27 PM 9/23/2001 -0400, Pat Wendorf wrote: >I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf >option. Many of which, for the past few months has been connection >attempts to TCP port 2000, as seen here: > > > Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 > >I'm not much up on my exploits, which one is this? Could be trying to exploit a wind0wz trojan exploit: from http://www.sans.org/newlook/resources/IDFAQ/oddports.htm port 2000 Der Sp=E4her / Der Spaeher, Insane Network >-- > >Pat Wendorf - -- Christopher Schulte christopher@schulte.org http://noc.schulte.org ------------------------------ Date: Sun, 23 Sep 2001 09:30:22 -0700 From: Greg Shenaut <greg@bogslab.ucdavis.edu> Subject: Re: Identify this exploit In message <3BAE0D83.41ACBF7B@unios.dhs.org>, Pat Wendorf cleopede: >I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf >option. Many of which, for the past few months has been connection >attempts to TCP port 2000, as seen here: > >> Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 > >I'm not much up on my exploits, which one is this? In my /etc/services file, port 2000 is something known as "callbook", but I don't know what that is. Greg Shenaut ------------------------------ Date: Mon, 24 Sep 2001 02:56:40 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> Subject: Re: New worm protection On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Chris Byrnes once said: > > > > Has anyone written an easy-to-use ipfw rule or some kind of script > > that will help with this new worm? > > Someone already pointed out disabling logging on your webserver. Not an option here, but it's the large number of entries in *-error.log that I'd like to be rid of. *-access.log I can just grep out before log analysis, if not exclude in the analyser config. > He also suggested a Tarpit-like approach. I like the following > simple script, which is what I run on my webservers. > > mkdir DOCROOT/scripts > # Cover the two alternate bits as well > ln -s DOCROOT/scripts DOCROOT/_mem_bin > ln -s DOCROOT/scripts DOCROOT/_vti_bin > > cat > DOCROOT/scripts/.htaccess > ErrorDocument 404 /scripts/nph-foo.cgi > <EOF> > > cat > DOCROOT/scripts/nph-foo.cgi > #!/usr/bin/perl > sleep(5); > exit(0); > <EOF> Cute. Will play. However there are other directories too; dumping ANY request containing cmd.exe or root.exe would do it best here. > NIMDA doesn't hang out for very long waiting for a response > to the script headers, so a labrea-tarpit like approach won't > actually be particularly effective. The sleep(5) will slow > it down a little bit, and the exit(0) will make it > return with no data sent back, not even a 404. Which But does *error.log still get hit? I dealt with /default.ida by giving 'em a one-line one, which at least meant no error logging while reducing response traffic by two thirds, but poring through apache docs - which I must be too thick to find easy reading, looking for some way to provide some short but valid response to such a range of URLs, I've not yet been able to nut out. Any suggestions? > will help a bit on the outbound bandwidth, but, of course > won't help on the inbound. Others have posted scripts to > NANOG (see http://www.nanog.org/ and check the archive) > that will automatically trigger ipfw / ipchains additions, > but, as always, be particularly careful with those. Will have a look at these, however carpet bombing whole /24s for the not even deliberate misdeeds of a few (ok, plenty of) unpatched m$junk seems rather an overreaction <&^}= The other thing here (ie in 203/8) is the large number of unsuccessful DNS requests for reverse mapping of particularly North Asian addresses, often ending with Server Failures and such - but I guess misconfigured DNS is no more surprising than zillions of compromised webservers .. I'd love to find some way of pre-filtering these NIMDA requests and just dropping them on the floor before apache even considered DNS lookups (?) Ian ------------------------------ Date: Sun, 23 Sep 2001 11:03:23 -0600 (MDT) From: David G Andersen <danderse@cs.utah.edu> Subject: Re: New worm protection Lo and behold, Ian Smith once said: > > Not an option here, but it's the large number of entries in *-error.log > that I'd like to be rid of. *-access.log I can just grep out before log > analysis, if not exclude in the analyser config. Disable error logging? :) > Cute. Will play. However there are other directories too; dumping > ANY request containing cmd.exe or root.exe would do it best here. Use mod_rewrite to redirect all accesses to that script. RewriteEngine on RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi (I haven't tested this syntax. Test it first. :) > But does *error.log still get hit? I dealt with /default.ida by giving > 'em a one-line one, which at least meant no error logging while reducing > response traffic by two thirds, but poring through apache docs - which I > must be too thick to find easy reading, looking for some way to provide > some short but valid response to such a range of URLs, I've not yet been > able to nut out. Any suggestions? The rewriting I specified above will do what you want. It maps it to a valid script request. It'll show up in *access_log. > I'd love to find some way of pre-filtering these NIMDA requests and just > dropping them on the floor before apache even considered DNS lookups (?) I'm vaguely surprised you have reverse DNS resolution enabled. You could make life a lot easier on yourself by switching to post-resolution for a while, and do the DNS lookup _after_ filtering out the bogus requests. -Dave - -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ ------------------------------ Date: Sun, 23 Sep 2001 08:59:24 -0700 (PDT) From: David Kirchner <davidk@accretivetg.com> Subject: Re: New worm protection On Mon, 24 Sep 2001, Ian Smith wrote: > Not an option here, but it's the large number of entries in *-error.log > that I'd like to be rid of. *-access.log I can just grep out before log > analysis, if not exclude in the analyser config. The method that was mentioned would also work for ErrorLog: ErrorLog "|grep -v cmd.exe > /normal/error_log/location" ------------------------------ Date: Sun, 23 Sep 2001 12:17:32 -0500 From: Steve Ames <steve@virtual-voodoo.com> Subject: Re: New worm protection One simple shell script and you can automatically add offendors to your ipfw ruleset. Won't stop the initial probe but will stop repeat performances. I use the following run out of cron every minute: #!/bin/sh cd /root grep cmd.exe /var/log/httpd-error.log | awk '{print $8;}' | sort -u | awk -F\] '{printf(" /sbin/ipfw add deny ip from %s to any\n ",$1);}' > l && cat /var/log/httpd-error.log >> /var/log/httpd-error.log.new && cat /dev/null > /var/log/httpd-error.log /bin/sh l && /bin/rm l Short and simple. Its not perfect but it has reduced my bandwidth quite a bit. - -Steve On Sun, Sep 23, 2001 at 02:08:19AM -0400, Chris BeHanna wrote: > On Thu, 20 Sep 2001, Chris Byrnes wrote: > > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > > help with this new worm? > > There's La Brea, but that's probably not quite what you're looking > for. > > > I have restricted Apache to just listen to my main two web IPs > > instead of all of the IPs (I have hundreds of domains and each of > > them previously had its own IP for different reasons), and that's > > cut down the bandwidth use in half, but I'm still about double what > > my daily normal bandwidth usage is. > > As others have posted, you can tell Apache not to log certain > requests. That will help your logfile. > > To avoid wasting bandwidth sending a 404, you could possibly > either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the > attacks; i.e., redirect the request to a CGI script that sets MSS to a > few bytes (a l? La Brea), pretending to legitimately service the > request. Be careful: you will have to watch the number of sockets > you have open and the number of threads you tie up in this manner. > Perhaps someone with more time than I have can author up a "mod_NIMDA" > that can be configured with a max # of threads or max# connections to > tarpit in this fashion, so that you can limit the amount of resources > that you use. Any inbound attacks in excess of these limits can > simply be dropped on the floor. > > > Frustration is high, and money issues are going to surface soon. > > Any help would be appreciated. > > This is the best I can do with the time I have available. I'm in > the middle of combatting this problem with a proxy server that is > under attack (for which I have access to the source). My solution is > to do regex parsing on the request using Boost's regex++ (see > http://www.boost.org) to drop the requests on the floor (i.e., I'm not > even going to dignify them with a 404), but keep a hash map of > requesting IP addresses and number of attacks, which periodically gets > dumped to a separate logfile. I'd use regex() and regcmp(), but this > also has to run on Windows. Unfortunately, I can't share the source, > but this description should be enough to get you going. > > Fortunately, I've seen the rate of NIMDA attacks drop by a factor > of four over the last couple of days. Either IIS webmasters are > getting a clue, or their ISPs are being clueful for them (DSL.net, for > example, is shutting off their infected customers until those > customers demonstrate that they've fixed their servers). > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > I was raised by a pack of wild corn dogs. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ------------------------------ Date: Sun, 23 Sep 2001 10:41:06 -0700 From: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> Subject: Re: New worm protection smithi> Not an option here, but it's the large number of entries in smithi> *-error.log that I'd like to be rid of. *-access.log I can just smithi> grep out before log analysis, if not exclude in the analyser smithi> config. This is what I am using: RedirectMatch (.*)/(root.exe|cmd.exe|default.ida).* /goaway.html SetEnvIf Request_URI "/(root.exe|cmd.exe|default.ida|goaway.html)" MSExploitCrap CustomLog /var/log/httpd-access.log combined env=!MSExploitCrap And then /goaway.html is just a small file: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> <HTML><HEAD><TITLE>Go away</TITLE></HEAD><BODY></BODY></HTML> With this, nothing shows up in either httpd-access.log or httpd-error.log. ------------------------------ Date: Sun, 23 Sep 2001 13:51:44 -0400 From: The Anarcat <anarcat@anarcat.dyndns.org> Subject: Re: New worm protection - --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Ian Smith once said: > >=20 > > Cute. Will play. However there are other directories too; dumping > > ANY request containing cmd.exe or root.exe would do it best here. >=20 > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Nice idea! Here's what I did: RewriteEngine on RewriteRule .*/cmd.exe.* /nimda.txt RewriteRule .*/root.exe.* /nimda.txt RewriteRule .*/default.ida.* /codered.txt RewriteRule .*/Admin.dll.* /codered.txt RewriteRule .*\\Admin.dll.* /codered.txt nimda.txt and codered.txt are simply empty files. This reduces the bandwitdh used by the attack and removes the entries in error.log. So the syntax is correct. Note the default.ida entry for th code red worm (is that it?). I think admin.dll is the same, but I'm not sure. Anyways, it doesn't make much difference. Here is a sample telnet output: GET /default.ida HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 23 Sep 2001 17:46:27 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a Last-Modified: Sun, 23 Sep 2001 17:21:20 GMT ETag: "1d161-0-3bae1a10" Accept-Ranges: bytes Content-Length: 0 Connection: close Content-Type: text/plain - --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuIS4ACgkQttcWHAnWiGe05QCbBGOS4Ze36RR/eGXqS+ASIIih nwEAnAmNfOF5usyn072d8i+UreOEkpwI =Z8qG - -----END PGP SIGNATURE----- - --AqsLC8rIMeq19msA-- ------------------------------ Date: Sun, 23 Sep 2001 10:55:44 -0700 From: Jordan Hubbard <jkh@freebsd.org> Subject: Re: ~/.login_conf disabling exact reasons wanted > Yes, I do, but FreeBSD was 4.4 even before it was fixed. FreeBSD wasn't 4.4 until it was released and all the tag sliding was over with. - - Jordan ------------------------------ Date: Sun, 23 Sep 2001 14:10:31 -0400 From: The Anarcat <anarcat@anarcat.dyndns.org> Subject: Re: New worm protection - --VrqPEDrXMn8OVzN4 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Unfortunatly, I tested this using a text file, which is fine. Here, if I try using a compiled C script (instead of a perl script, faster on a small machine), the script gets dumped in binary form! Not executed! GET /root.exe ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= lf.so.FreeBSD=C0=B6 =2E.. So I used the redirect approach: RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= cgi sleep.c: int main() { sleep(5); printf("Content-type: text/plain\n\n"); } This works. However, it generates a bit too much output: GET /cmd.exe <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P> <HR> <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS> </BODY></HTML> ;) I really don't understand why the Rewrite rule doesn't work as expected. A. - --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature Content-Disposition: inline - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd c+QAn324N8SSDAEyDviPsqrhDTujaXuP =v3ql - -----END PGP SIGNATURE----- - --VrqPEDrXMn8OVzN4-- ------------------------------ Date: Sun, 23 Sep 2001 12:18:43 -0600 (MDT) From: David G Andersen <danderse@cs.utah.edu> Subject: Re: New worm protection Sorry, should have mentioned that I have all .cgi files mapped to executables. Have it map to your /cgi-bin like you want. Name the script nph-<whatever> instead of just <whatever>, which tells the webserver that your script will generate ALL of the headers. Then the script can just close, and the worm won't get _any_ output from the webserver. Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, which is obviously not what you want. You want to internally rewrite the URL so it gets handled transparently. Then, the result is quite pleasing: 131 eep:~/> telnet webby.angio.net 80 Trying 206.197.119.138... Connected to webby.angio.net. Escape character is '^]'. GET /scripts/cmd.exe? HTTP/1.0 Connection closed by foreign host. See? Very nice. :) Lo and behold, The Anarcat once said: > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > Use mod_rewrite to redirect all accesses to that script. > >=20 > > RewriteEngine on > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > >=20 > > (I haven't tested this syntax. Test it first. :) > > Unfortunatly, I tested this using a text file, which is fine. Here, if I > try using a compiled C script (instead of a perl script, faster on a > small machine), the script gets dumped in binary form! Not executed! > > GET /root.exe > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= > lf.so.FreeBSD=C0=B6 > =2E.. > > So I used the redirect approach: > > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= > cgi > > sleep.c: > int main() { > sleep(5); > printf("Content-type: text/plain\n\n"); > } > > This works. However, it generates a bit too much output: > > GET /cmd.exe > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <HTML><HEAD> > <TITLE>302 Found</TITLE> > </HEAD><BODY> > <H1>Found</H1> > The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P> > <HR> > <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS> > </BODY></HTML> > > ;) > > I really don't understand why the Rewrite rule doesn't work as expected. > > A. > > --VrqPEDrXMn8OVzN4 > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd > c+QAn324N8SSDAEyDviPsqrhDTujaXuP > =v3ql > -----END PGP SIGNATURE----- > > --VrqPEDrXMn8OVzN4-- > - -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ ------------------------------ Date: Mon, 24 Sep 2001 04:34:06 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> Subject: Re: New worm protection On Sun, 23 Sep 2001, Gregory Neil Shapiro wrote: > smithi> Not an option here, but it's the large number of entries in > smithi> *-error.log that I'd like to be rid of. *-access.log I can just > smithi> grep out before log analysis, if not exclude in the analyser > smithi> config. > > This is what I am using: > > RedirectMatch (.*)/(root.exe|cmd.exe|default.ida).* /goaway.html > SetEnvIf Request_URI "/(root.exe|cmd.exe|default.ida|goaway.html)" MSExploitCrap > CustomLog /var/log/httpd-access.log combined env=!MSExploitCrap > > And then /goaway.html is just a small file: > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> > <HTML><HEAD><TITLE>Go away</TITLE></HEAD><BODY></BODY></HTML> > > With this, nothing shows up in either httpd-access.log or httpd-error.log. I like it, short and sweet. Thankyou Greg. Thanks also to David Kirchner, David G Andersen, Steve Ames and The Anarcat for lots of angles to explore .. but tomorrow. Cheers, Ian ------------------------------ Date: Mon, 24 Sep 2001 03:43:53 +0900 From: horio shoichi <horio@pointer-software.com> Subject: Re: Policy based routing/restricting access __inside__ ones net.. Stanley Hopcroft wrote: > > Dear Ladies and Gentlemen, > > I am writing to ask for advice about providing profile dependent access > to subsets of ones internal network. > > The context is having third parties access the network for maintenance. > > Once they get logged in on the host they are hired to maintain, how can > I prevent them accessing other hosts while allowing __some__ access to > others they may need for problem resolution ? (given that both sets of > hosts can be specified) > > Can a Kerberos realm enforce access profiles such as these (and then if > they were forced to use only kerberised applications, grant them tickets > for access to some hosts only) ? > If you mean by realm to split servers into possibly overlapping set of realms each of which has separate set of principals (users and services) and users access servers through cross-realm authentication, I see no reason it doesn't work. > Can ipfilter/ipfw provide ACLs depending on user ? > Ipfilter is so low level that it has no notion of user. It only recognizes protocol, ip and port. If a user (or users) could be bound to a specific set of protocol, ip and port corresponding to an instance of service, then access control might be possible. But I doubt doing this would worth efforts. > The access could include Solaris/FreeBSD/AIX servers as well as MS Win > NT ... > > Thank you, > > Yours sincerely. > > -- > ------------------------------------------------------------------------ > Stanley Hopcroft IP Australia > Network Specialist > +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU > ------------------------------------------------------------------------ > The study of non-linear physics is like the study of non-elephant > biology. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ------------------------------ Date: Sun, 23 Sep 2001 14:52:10 -0400 From: The Anarcat <anarcat@anarcat.dyndns.org> Subject: Re: New worm protection - --NKoe5XOeduwbEQHU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Sorry, should have mentioned that I have all .cgi files mapped > to executables. > > Have it map to your /cgi-bin like you want. I had cgi configuration problems. They're fixed. :) > Name the script nph-<whatever> instead of just <whatever>, which > tells the webserver that your script will generate ALL of the > headers. Then the script can just close, and the worm > won't get _any_ output from the webserver. Interesting. I didn't know of this feature. > Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, > which is obviously not what you want. You want to internally=20 > rewrite the URL so it gets handled transparently. Then, the=20 > result is quite pleasing: >=20 > 131 eep:~/> telnet webby.angio.net 80 > Trying 206.197.119.138... > Connected to webby.angio.net. > Escape character is '^]'. > GET /scripts/cmd.exe? HTTP/1.0 >=20 > Connection closed by foreign host. >=20 > See? Very nice. :) Very nice indeed. I have the same result here now. :) Without the perl overhead. :) :) A. - --NKoe5XOeduwbEQHU Content-Type: application/pgp-signature Content-Disposition: inline - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuL1kACgkQttcWHAnWiGcipQCfdjLyAq5S39dvrHDU+s6kEGhu F94An18y8UO0IV4Too1BiyI0XAFE8pek =Q0/r - -----END PGP SIGNATURE----- - --NKoe5XOeduwbEQHU-- ------------------------------ Date: Sun, 23 Sep 2001 14:13:31 -0700 From: faSty <fasty@i-sphere.com> Subject: Re: New worm protection can you give me sample of statment that closes without output from the webserver. I tried use your statement seems not work and it simply envade almost all 500 domains on my webservers. ugh I hope your sample can handle all domains not just one domain. let me know thanks - -trev On Sun, Sep 23, 2001 at 12:18:43PM -0600, David G Andersen wrote: > Sorry, should have mentioned that I have all .cgi files mapped > to executables. > > Have it map to your /cgi-bin like you want. > > Name the script nph-<whatever> instead of just <whatever>, which > tells the webserver that your script will generate ALL of the > headers. Then the script can just close, and the worm > won't get _any_ output from the webserver. > > Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, > which is obviously not what you want. You want to internally > rewrite the URL so it gets handled transparently. Then, the > result is quite pleasing: > > 131 eep:~/> telnet webby.angio.net 80 > Trying 206.197.119.138... > Connected to webby.angio.net. > Escape character is '^]'. > GET /scripts/cmd.exe? HTTP/1.0 > > Connection closed by foreign host. > > See? Very nice. :) > > Lo and behold, The Anarcat once said: > > > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > > > Use mod_rewrite to redirect all accesses to that script. > > >=20 > > > RewriteEngine on > > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > > >=20 > > > (I haven't tested this syntax. Test it first. :) > > > > Unfortunatly, I tested this using a text file, which is fine. Here, if I > > try using a compiled C script (instead of a perl script, faster on a > > small machine), the script gets dumped in binary form! Not executed! > > > > GET /root.exe > > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= > > lf.so.FreeBSD=C0=B6 > > =2E.. > > > > So I used the redirect approach: > > > > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= > > cgi > > > > sleep.c: > > int main() { > > sleep(5); > > printf("Content-type: text/plain\n\n"); > > } > > > > This works. However, it generates a bit too much output: > > > > GET /cmd.exe > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > > <HTML><HEAD> > > <TITLE>302 Found</TITLE> > > </HEAD><BODY> > > <H1>Found</H1> > > The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P> > > <HR> > > <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS> > > </BODY></HTML> > > > > ;) > > > > I really don't understand why the Rewrite rule doesn't work as expected. > > > > A. > > > > --VrqPEDrXMn8OVzN4 > > Content-Type: application/pgp-signature > > Content-Disposition: inline > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (FreeBSD) > > Comment: For info see http://www.gnupg.org > > > > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd > > c+QAn324N8SSDAEyDviPsqrhDTujaXuP > > =v3ql > > -----END PGP SIGNATURE----- > > > > --VrqPEDrXMn8OVzN4-- > > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message - -- The primary theme of SoupCon is communication. The acronym "LEO" represents the secondary theme: Law Enforcement Officials The overall theme of SoupCon shall be: Avoiding Communication with Law Enforcement Officials ------------------------------ Date: Sun, 23 Sep 2001 14:00:10 -0700 (PDT) From: David Kirchner <davidk@accretivetg.com> Subject: Re: New worm protection Would it be possible to create an accept-filter module (ala accf_http) that could take care of these and future similar filters, server-wide? ------------------------------ Date: Mon, 24 Sep 2001 01:24:41 +0200 From: "Karl M. Joch" <k.joch@kmjeuro.com> Subject: Re: New worm protection I have made a quick and may dirty solution which helps me alot on the servers. it handles multiple error files. my error files are resetted onec every 24h. so i dont get to big files. ############################################ # include trailing / in run & wrk $run = "/usr/local/blockwins/"; $wrk = "/usr/local/blockwins/data/"; # create it in advance $logfiles = "/usr/local/blockwins/logfiles"; # made by ls /var/log/your-apache-error-logs $domfile = "IPs"; $rule = "50"; # the ipfw rule you want to use #*************************************************** end of config # Datum vorfuellen: chop($dat=`date "+%y/%m/%d %H:%M"`); $cnt=0; # ips $cnto=0; # ips old $cnt2=0; # access # create domain/register file if non existent: dbmopen (%domains,"$wrk$domfile",0640); dbmclose (%domains); dbmopen (%domains,"$wrk$domfile",0640); # GET OUR LOGFILES open ("INPUT",$logfiles) || die "$0: cannot open $logfiles !\n"; while (<INPUT>) { chop ($_); open ("LOG",$_) || die "cannot open $_! \n"; while (<LOG>) { ## [Mon Sep 10 10:38:43 2001] [error] [client 193.215.176.192] File does not exist: /usr/local/www/default.ida $virus=0; if (/winnt/) { $virus=1;}; if (/root.exe/) { $virus=1;}; if (/cmd.exe/) { $virus=1;}; if (/default.ida/) { $virus=1;}; if ($virus) { #block them: $results=$_; $results=~ s/.*client ([0-9.]+).*\/(.*)$/$1##$2/; ($ip,$comm) = split(/##/,$results); if ( $domains{$ip}) { $cnt2++; $domains{$ip}=$comm; ## last command } else { $cnt++; $domains{$ip}=$comm; ## last command } } } } print "########################################################################\n" ; print "Angriffe von Code Red/Nimda \n"; print "########################################################################\n" ; print "DIFFERNT IPs: $cnt\n"; print "########################################################################\n" ; print "TOTAL ACCESS: $cnt2\n"; print "########################################################################\n" ; close (INPUT); # NOW LETS CHECK EVERYTHING: # clear the one rule: @args = ("/sbin/ipfw $rule delete"); system(@args) == 0 or print "system @args failed: $?\n"; # add all of our idiots: foreach $dom (sort keys %domains) { $cnto++; # print "$dom - denied access to the server with rule $rule\n"; @args = ("/sbin/ipfw $rule add deny all from $dom to any >/dev/null"); system(@args) == 0 or die "system @args failed: $?"; } print "########################################################################\n" ; print "All Rules (Total IPS: $cnto) added to Firewall\n"; print "Known Windows Systems denied access!\n"; print "########################################################################\n" ; dbmclose (%domains); - -- - -- Best regards / Mit freundlichen Gruessen, Karl M. Joch KMJ Consulting - CTS Consulting & Trade Service http://www.kmjeuro.com - http://www.ctseuro.com k.joch@kmjeuro.com - k.joch@ctseuro.com GSM : +43-664-3407888 Unsere Services: http://www.proline.at - Netzwerk und Sicherheitstechnik http://www.eushop.net - Onlineshop und Applikationen einfach mieten http://www.freebsd.at - Power Operating System - ----- Original Message ----- From: "David Kirchner" <davidk@accretivetg.com> To: <freebsd-security@FreeBSD.ORG> Sent: Sunday, September 23, 2001 11:00 PM Subject: Re: New worm protection > Would it be possible to create an accept-filter module (ala accf_http) > that could take care of these and future similar filters, server-wide? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------------------------------ Date: Sun, 23 Sep 2001 17:02:41 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Subject: Re: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) In message <20010923161354.A426@nagual.pp.ru>, "Andrey A. Chernov" writes: > On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > > > I'll work on the proper fix tomorrow. > > > Planned for commit. Please, review and/or comment. > > --- login_cap.c.old Sun Sep 23 16:09:04 2001 > +++ login_cap.c Sun Sep 23 16:06:19 2001 > @@ -184,18 +184,17 @@ > login_cap_t *lc; > > if ((lc = malloc(sizeof(login_cap_t))) != NULL) { > - int r, i = 0; > + int r, me, i = 0; > uid_t euid = 0; > gid_t egid = 0; > const char *msg = NULL; > - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir; > + const char *dir; > char userpath[MAXPATHLEN]; > > static char *login_dbarray[] = { NULL, NULL, NULL }; > > -#ifndef _FILE_LOGIN_CONF_WORKS > - dir = NULL; > -#endif > + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); > + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; > /* > * Switch to user mode before checking/reading its ~/.login_conf > * - some NFSes have root read access disabled. > @@ -215,7 +214,7 @@ > if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1) > i++; /* only use 'secure' data */ > } > - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) > + if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) > login_dbarray[i++] = _PATH_LOGIN_CONF; > login_dbarray[i] = NULL; > > @@ -227,7 +226,7 @@ > > switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { > case -1: /* Failed, entry does not exist */ > - if (strcmp(name, LOGIN_MECLASS) == 0) > + if (me) > break; /* Don't retry default on 'me' */ > if (i == 0) > r = -1; After applying the patch and building world the following are logged to syslog. Sep 23 13:40:00 cwtest /usr/sbin/cron[17208]: login_getclass: unknown class 'root' Sep 23 13:40:00 cwtest /usr/sbin/cron[17207]: login_getclass: unknown class 'daemon' Sep 23 13:40:00 cwtest inetd[17213]: login_getclass: unknown class 'daemon' Rsh between hosts behind my firewall here at home work however rsync, which uses rsh, does not, an EOF error is displayed. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC ------------------------------ End of security-digest V5 #289 ****************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with unsubscribe freebsd-security-digest in the body of the message --f8O3fAi21562.1001304083/au.dk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109240401.f8O3fAi21562>