Date: Mon, 24 Sep 2001 06:01:23 +0200 (MET DST) From: Mail Delivery Subsystem <MAILER-DAEMON@au.dk> To: <security@FreeBSD.ORG> Subject: Warning: could not send message for past 4 hours Message-ID: <200109240401.f8O3fAi21562@au.dk>
next in thread | raw e-mail | index | archive | help
This is a MIME-encapsulated message
--f8O3fAi21562.1001304083/au.dk
**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************
The original message was received at Mon, 24 Sep 2001 01:56:14 +0200 (MET DST)
from mbone.iie.cnam.fr [192.70.23.180]
----- The following addresses had transient non-fatal errors -----
<FARRET@DAIMI.AU.DK>
----- Transcript of session follows -----
<FARRET@DAIMI.AU.DK>... Deferred: Connection refused by daimi.au.dk.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old
--f8O3fAi21562.1001304083/au.dk
Content-Type: message/delivery-status
Reporting-MTA: dns; au.dk
Arrival-Date: Mon, 24 Sep 2001 01:56:14 +0200 (MET DST)
Final-Recipient: RFC822; FARRET@daimi.au.dk
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; daimi.au.dk
Last-Attempt-Date: Mon, 24 Sep 2001 06:01:23 +0200 (MET DST)
Will-Retry-Until: Sat, 29 Sep 2001 01:56:14 +0200 (MET DST)
--f8O3fAi21562.1001304083/au.dk
Content-Type: message/rfc822
Return-Path: <security@FreeBSD.ORG>
Received: from mbone.iie.cnam.fr (mbone.iie.cnam.fr [192.70.23.180])
by au.dk (8.11.4/8.11.4) with ESMTP id f8NNuD517047
for <FARRET@DAIMI.AU.DK>; Mon, 24 Sep 2001 01:56:14 +0200 (MET DST)
Received: from rubis.iie.cnam.fr (smtp_relay@rubis.iie.cnam.fr [192.70.23.3])
by mbone.iie.cnam.fr (8.9.3/8.9.3) with SMTP id CAA21526
for <FARRET@DAIMI.AU.DK>; Mon, 24 Sep 2001 02:06:14 +0200 (MET DST)
From: security@FreeBSD.ORG
Received: by rubis.iie.cnam.fr (MX V4.2 VAX) id 23; Mon, 24 Sep 2001 02:06:08
MET_DST
Date: Mon, 24 Sep 2001 02:06:07 MET_DST
To: freebsd-security-digest@FreeBSD.ORG
Message-ID: <00A02825.EFF8D7F0.23@rubis.iie.cnam.fr>
Subject: security-digest V5 #289
Return-Path: <owner-freebsd-security-digest@FreeBSD.ORG>
Received: from mbone.iie.cnam.fr by rubis.iie.cnam.fr (MX V4.2 VAX) with SMTP;
Mon, 24 Sep 2001 02:06:04 MET_DST
Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by
mbone.iie.cnam.fr (8.9.3/8.9.3) with ESMTP id CAA21501 for
<farret@iie.cnam.fr>; Mon, 24 Sep 2001 02:05:05 +0200 (MET DST)
Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by
mx2.freebsd.org (Postfix) with ESMTP id 9307355EDB; Sun, 23 Sep 2001
17:04:47 -0700 (PDT) (envelope-from
owner-freebsd-security-digest@FreeBSD.ORG)
Received: by hub.freebsd.org (Postfix, from userid 538) id 2F73A37B417; Sun, 23
Sep 2001 17:04:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix)
with SMTP id 4BF4C2E8040; Sun, 23 Sep 2001 17:04:38 -0700 (PDT)
Received: by hub.freebsd.org (bulk_mailer v1.12); Sun, 23 Sep 2001 17:04:38
-0700
From: owner-freebsd-security-digest@FreeBSD.ORG (security-digest)
To: freebsd-security-digest@FreeBSD.ORG
Subject: security-digest V5 #289
Reply-To: security@FreeBSD.ORG
Sender: owner-freebsd-security-digest@FreeBSD.ORG
Precedence: bulk
Message-ID: <bulk.57994.20010923170438@hub.freebsd.org>
Date: Sun, 23 Sep 2001 17:04:38 -0700 (PDT)
security-digest Sunday, September 23 2001 Volume 05 : Number 289
In this issue:
Re: ~/.login_conf disabling exact reasons wanted
Re: New worm protection
Patch for review (was Re: ~/.login_conf disabling exact reasons wanted)
Re: New worm protection
Re: ~/.login_conf disabling exact reasons wanted
Re: New worm protection
Identify this exploit
Re: Identify this exploit
Re: Identify this exploit
Re: New worm protection
Re: New worm protection
Re: New worm protection
Re: New worm protection
Re: New worm protection
Re: New worm protection
Re: ~/.login_conf disabling exact reasons wanted
Re: New worm protection
Re: New worm protection
Re: New worm protection
Re: Policy based routing/restricting access __inside__ ones net..
Re: New worm protection
Re: New worm protection
Re: New worm protection
Re: New worm protection
Re: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted)
----------------------------------------------------------------------
Date: Sun, 23 Sep 2001 13:38:59 +0200
From: Alexander Langer <alex@big.endian.de>
Subject: Re: ~/.login_conf disabling exact reasons wanted
Thus spake Jordan Hubbard (jkh@FreeBSD.org):
> The bug doesn't exist in 4.4 either. It was fixed prior to release.
> Doesn't anyone read commit mail anymore?! :-(
Yes, I do, but FreeBSD was 4.4 even before it was fixed.
OTOH, the report on bugtraq also mentions, that 4.4-RELEASE isn't affected.
Alex
------------------------------
Date: Sun, 23 Sep 2001 08:07:59 -0400
From: "Jonathan M. Slivko" <jslivko@4evermail.com>
Subject: Re: New worm protection
The best kind of protection I can offer is to write a script that will scan
the apache logs and use ipfw to ban whole class C's that generate a 404.
That may be a little extreme, but it works. I will try and get a copy of the
code to you later. -- Jonathan
- ----- Original Message -----
From: "Chris Byrnes" <chris@JEAH.net>
To: <security@freebsd.org>
Sent: Thursday, September 20, 2001 10:07 AM
Subject: New worm protection
> Has anyone written an easy-to-use ipfw rule or some kind of script that
will
> help with this new worm?
>
> I have restricted Apache to just listen to my main two web IPs instead of
> all of the IPs (I have
> hundreds of domains and each of them previously had its own IP for
different
> reasons), and
> that's cut down the bandwidth use in half, but I'm still about double what
> my daily normal bandwidth
> usage is.
>
> Frustration is high, and money issues are going to surface soon. Any help
> would be appreciated.
>
>
> Chris Byrnes, Managing Member
> JEAH Communications, LLC
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
------------------------------
Date: Sun, 23 Sep 2001 16:13:57 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
Subject: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted)
On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote:
> I'll work on the proper fix tomorrow.
Planned for commit. Please, review and/or comment.
- --- login_cap.c.old Sun Sep 23 16:09:04 2001
+++ login_cap.c Sun Sep 23 16:06:19 2001
@@ -184,18 +184,17 @@
login_cap_t *lc;
if ((lc = malloc(sizeof(login_cap_t))) != NULL) {
- - int r, i = 0;
+ int r, me, i = 0;
uid_t euid = 0;
gid_t egid = 0;
const char *msg = NULL;
- - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir;
+ const char *dir;
char userpath[MAXPATHLEN];
static char *login_dbarray[] = { NULL, NULL, NULL };
- -#ifndef _FILE_LOGIN_CONF_WORKS
- - dir = NULL;
- -#endif
+ me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0);
+ dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir;
/*
* Switch to user mode before checking/reading its ~/.login_conf
* - some NFSes have root read access disabled.
@@ -215,7 +214,7 @@
if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1)
i++; /* only use 'secure' data */
}
- - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1)
+ if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1)
login_dbarray[i++] = _PATH_LOGIN_CONF;
login_dbarray[i] = NULL;
@@ -227,7 +226,7 @@
switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) {
case -1: /* Failed, entry does not exist */
- - if (strcmp(name, LOGIN_MECLASS) == 0)
+ if (me)
break; /* Don't retry default on 'me' */
if (i == 0)
r = -1;
- --
Andrey A. Chernov
http://ache.pp.ru/
------------------------------
Date: Sun, 23 Sep 2001 06:07:01 -0700
From: Greg Shenaut <greg@bogslab.ucdavis.edu>
Subject: Re: New worm protection
In message <200109230836.f8N8akx29012@faith.cs.utah.edu>, David G Andersen cleopede:
>I like the following
>simple script, which is what I run on my webservers.
>
[script using a sleep(5) for delay purposes]
>
>NIMDA doesn't hang out for very long waiting for a response
>to the script headers, so a labrea-tarpit like approach won't
>actually be particularly effective. The sleep(5) will slow
>it down a little bit, and the exit(0) will make it
>return with no data sent back, not even a 404. Which
>will help a bit on the outbound bandwidth, but, of course
>won't help on the inbound. Others have posted scripts to
>NANOG (see http://www.nanog.org/ and check the archive)
>that will automatically trigger ipfw / ipchains additions,
>but, as always, be particularly careful with those.
What would be the effect of having the web server ignore (as in,
make no response at all to) *any* attempt to GET a nonexistent
file? It seems to me that this would delay things maximally for
the attacker with the least effort at the server end. But I
am concerned about the effect on innocent mistypers and web
crawling search engines (but not too concerned, frankly).
Greg Shenaut
------------------------------
Date: Sun, 23 Sep 2001 17:11:00 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
Subject: Re: ~/.login_conf disabling exact reasons wanted
On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote:
>
> Sorry for all that buzz, I am finally able to reproduce it on -current.
>
Details: there is no security hole under -current, just broken
functionality. You can specify
copyright=/etc/passwd
with passwd output (it is broken functionality), but specifying
copyright=/etc/master.passwd
outputs nothing.
See my patch posted today fixing this.
- --
Andrey A. Chernov
http://ache.pp.ru/
------------------------------
Date: Sun, 23 Sep 2001 16:00:40 +0100 (BST)
From: freebsd-security@rikrose.net
Subject: Re: New worm protection
On Sun, 23 Sep 2001 ark@eltex.ru wrote:
> Is there a way to send a command to worm to shut it (or just a machine) down?
> I remember Code Red installed some kind of backdoor that allowed remote control
> without trying the whole bunch of exploits, does NIMDA have such a 'feature'?
Allegedly, yes, it installs a passwordless admin account. There is
information "out there", aparently, although, I haven't been bothered to
look it up, so I may be wrong.
- --
PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org
Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F
Public key also encoded with outguess on http://rikrose.net
------------------------------
Date: Sun, 23 Sep 2001 12:27:47 -0400
From: Pat Wendorf <beholder@unios.dhs.org>
Subject: Identify this exploit
I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf
option. Many of which, for the past few months has been connection
attempts to TCP port 2000, as seen here:
> Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169
I'm not much up on my exploits, which one is this?
- --
Pat Wendorf
------------------------------
Date: Sun, 23 Sep 2001 11:30:12 -0500
From: Christopher Schulte <christopher@schulte.org>
Subject: Re: Identify this exploit
At 12:27 PM 9/23/2001 -0400, Pat Wendorf wrote:
>I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf
>option. Many of which, for the past few months has been connection
>attempts to TCP port 2000, as seen here:
>
> > Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169
>
>I'm not much up on my exploits, which one is this?
Could be trying to exploit a wind0wz trojan exploit:
from http://www.sans.org/newlook/resources/IDFAQ/oddports.htm
port 2000 Der Sp=E4her / Der Spaeher, Insane Network
>--
>
>Pat Wendorf
- --
Christopher Schulte
christopher@schulte.org
http://noc.schulte.org
------------------------------
Date: Sun, 23 Sep 2001 09:30:22 -0700
From: Greg Shenaut <greg@bogslab.ucdavis.edu>
Subject: Re: Identify this exploit
In message <3BAE0D83.41ACBF7B@unios.dhs.org>, Pat Wendorf cleopede:
>I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf
>option. Many of which, for the past few months has been connection
>attempts to TCP port 2000, as seen here:
>
>> Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169
>
>I'm not much up on my exploits, which one is this?
In my /etc/services file, port 2000 is something known as "callbook",
but I don't know what that is.
Greg Shenaut
------------------------------
Date: Mon, 24 Sep 2001 02:56:40 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
Subject: Re: New worm protection
On Sun, 23 Sep 2001, David G Andersen wrote:
> Lo and behold, Chris Byrnes once said:
> >
> > Has anyone written an easy-to-use ipfw rule or some kind of script
> > that will help with this new worm?
>
> Someone already pointed out disabling logging on your webserver.
Not an option here, but it's the large number of entries in *-error.log
that I'd like to be rid of. *-access.log I can just grep out before log
analysis, if not exclude in the analyser config.
> He also suggested a Tarpit-like approach. I like the following
> simple script, which is what I run on my webservers.
>
> mkdir DOCROOT/scripts
> # Cover the two alternate bits as well
> ln -s DOCROOT/scripts DOCROOT/_mem_bin
> ln -s DOCROOT/scripts DOCROOT/_vti_bin
>
> cat > DOCROOT/scripts/.htaccess
> ErrorDocument 404 /scripts/nph-foo.cgi
> <EOF>
>
> cat > DOCROOT/scripts/nph-foo.cgi
> #!/usr/bin/perl
> sleep(5);
> exit(0);
> <EOF>
Cute. Will play. However there are other directories too; dumping
ANY request containing cmd.exe or root.exe would do it best here.
> NIMDA doesn't hang out for very long waiting for a response
> to the script headers, so a labrea-tarpit like approach won't
> actually be particularly effective. The sleep(5) will slow
> it down a little bit, and the exit(0) will make it
> return with no data sent back, not even a 404. Which
But does *error.log still get hit? I dealt with /default.ida by giving
'em a one-line one, which at least meant no error logging while reducing
response traffic by two thirds, but poring through apache docs - which I
must be too thick to find easy reading, looking for some way to provide
some short but valid response to such a range of URLs, I've not yet been
able to nut out. Any suggestions?
> will help a bit on the outbound bandwidth, but, of course
> won't help on the inbound. Others have posted scripts to
> NANOG (see http://www.nanog.org/ and check the archive)
> that will automatically trigger ipfw / ipchains additions,
> but, as always, be particularly careful with those.
Will have a look at these, however carpet bombing whole /24s for the not
even deliberate misdeeds of a few (ok, plenty of) unpatched m$junk seems
rather an overreaction <&^}=
The other thing here (ie in 203/8) is the large number of unsuccessful
DNS requests for reverse mapping of particularly North Asian addresses,
often ending with Server Failures and such - but I guess misconfigured
DNS is no more surprising than zillions of compromised webservers ..
I'd love to find some way of pre-filtering these NIMDA requests and just
dropping them on the floor before apache even considered DNS lookups (?)
Ian
------------------------------
Date: Sun, 23 Sep 2001 11:03:23 -0600 (MDT)
From: David G Andersen <danderse@cs.utah.edu>
Subject: Re: New worm protection
Lo and behold, Ian Smith once said:
>
> Not an option here, but it's the large number of entries in *-error.log
> that I'd like to be rid of. *-access.log I can just grep out before log
> analysis, if not exclude in the analyser config.
Disable error logging? :)
> Cute. Will play. However there are other directories too; dumping
> ANY request containing cmd.exe or root.exe would do it best here.
Use mod_rewrite to redirect all accesses to that script.
RewriteEngine on
RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
(I haven't tested this syntax. Test it first. :)
> But does *error.log still get hit? I dealt with /default.ida by giving
> 'em a one-line one, which at least meant no error logging while reducing
> response traffic by two thirds, but poring through apache docs - which I
> must be too thick to find easy reading, looking for some way to provide
> some short but valid response to such a range of URLs, I've not yet been
> able to nut out. Any suggestions?
The rewriting I specified above will do what you want. It maps it
to a valid script request. It'll show up in *access_log.
> I'd love to find some way of pre-filtering these NIMDA requests and just
> dropping them on the floor before apache even considered DNS lookups (?)
I'm vaguely surprised you have reverse DNS resolution enabled.
You could make life a lot easier on yourself by switching to post-resolution
for a while, and do the DNS lookup _after_ filtering out the bogus
requests.
-Dave
- --
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
------------------------------
Date: Sun, 23 Sep 2001 08:59:24 -0700 (PDT)
From: David Kirchner <davidk@accretivetg.com>
Subject: Re: New worm protection
On Mon, 24 Sep 2001, Ian Smith wrote:
> Not an option here, but it's the large number of entries in *-error.log
> that I'd like to be rid of. *-access.log I can just grep out before log
> analysis, if not exclude in the analyser config.
The method that was mentioned would also work for ErrorLog:
ErrorLog "|grep -v cmd.exe > /normal/error_log/location"
------------------------------
Date: Sun, 23 Sep 2001 12:17:32 -0500
From: Steve Ames <steve@virtual-voodoo.com>
Subject: Re: New worm protection
One simple shell script and you can automatically add offendors
to your ipfw ruleset. Won't stop the initial probe but will stop
repeat performances.
I use the following run out of cron every minute:
#!/bin/sh
cd /root
grep cmd.exe /var/log/httpd-error.log | awk '{print $8;}' | sort -u | awk -F\] '{printf(" /sbin/ipfw add deny ip from %s to any\n ",$1);}' > l && cat /var/log/httpd-error.log >> /var/log/httpd-error.log.new && cat /dev/null > /var/log/httpd-error.log
/bin/sh l && /bin/rm l
Short and simple. Its not perfect but it has reduced my bandwidth quite a
bit.
- -Steve
On Sun, Sep 23, 2001 at 02:08:19AM -0400, Chris BeHanna wrote:
> On Thu, 20 Sep 2001, Chris Byrnes wrote:
>
> > Has anyone written an easy-to-use ipfw rule or some kind of script that will
> > help with this new worm?
>
> There's La Brea, but that's probably not quite what you're looking
> for.
>
> > I have restricted Apache to just listen to my main two web IPs
> > instead of all of the IPs (I have hundreds of domains and each of
> > them previously had its own IP for different reasons), and that's
> > cut down the bandwidth use in half, but I'm still about double what
> > my daily normal bandwidth usage is.
>
> As others have posted, you can tell Apache not to log certain
> requests. That will help your logfile.
>
> To avoid wasting bandwidth sending a 404, you could possibly
> either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the
> attacks; i.e., redirect the request to a CGI script that sets MSS to a
> few bytes (a l? La Brea), pretending to legitimately service the
> request. Be careful: you will have to watch the number of sockets
> you have open and the number of threads you tie up in this manner.
> Perhaps someone with more time than I have can author up a "mod_NIMDA"
> that can be configured with a max # of threads or max# connections to
> tarpit in this fashion, so that you can limit the amount of resources
> that you use. Any inbound attacks in excess of these limits can
> simply be dropped on the floor.
>
> > Frustration is high, and money issues are going to surface soon.
> > Any help would be appreciated.
>
> This is the best I can do with the time I have available. I'm in
> the middle of combatting this problem with a proxy server that is
> under attack (for which I have access to the source). My solution is
> to do regex parsing on the request using Boost's regex++ (see
> http://www.boost.org) to drop the requests on the floor (i.e., I'm not
> even going to dignify them with a 404), but keep a hash map of
> requesting IP addresses and number of attacks, which periodically gets
> dumped to a separate logfile. I'd use regex() and regcmp(), but this
> also has to run on Windows. Unfortunately, I can't share the source,
> but this description should be enough to get you going.
>
> Fortunately, I've seen the rate of NIMDA attacks drop by a factor
> of four over the last couple of days. Either IIS webmasters are
> getting a clue, or their ISPs are being clueful for them (DSL.net, for
> example, is shutting off their infected customers until those
> customers demonstrate that they've fixed their servers).
>
> --
> Chris BeHanna
> Software Engineer (Remove "bogus" before responding.)
> behanna@bogus.zbzoom.net
> I was raised by a pack of wild corn dogs.
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
------------------------------
Date: Sun, 23 Sep 2001 10:41:06 -0700
From: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
Subject: Re: New worm protection
smithi> Not an option here, but it's the large number of entries in
smithi> *-error.log that I'd like to be rid of. *-access.log I can just
smithi> grep out before log analysis, if not exclude in the analyser
smithi> config.
This is what I am using:
RedirectMatch (.*)/(root.exe|cmd.exe|default.ida).* /goaway.html
SetEnvIf Request_URI "/(root.exe|cmd.exe|default.ida|goaway.html)" MSExploitCrap
CustomLog /var/log/httpd-access.log combined env=!MSExploitCrap
And then /goaway.html is just a small file:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML><HEAD><TITLE>Go away</TITLE></HEAD><BODY></BODY></HTML>
With this, nothing shows up in either httpd-access.log or httpd-error.log.
------------------------------
Date: Sun, 23 Sep 2001 13:51:44 -0400
From: The Anarcat <anarcat@anarcat.dyndns.org>
Subject: Re: New worm protection
- --AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, 23 Sep 2001, David G Andersen wrote:
> Lo and behold, Ian Smith once said:
> >=20
> > Cute. Will play. However there are other directories too; dumping
> > ANY request containing cmd.exe or root.exe would do it best here.
>=20
> Use mod_rewrite to redirect all accesses to that script.
>=20
> RewriteEngine on
> RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
>=20
> (I haven't tested this syntax. Test it first. :)
Nice idea! Here's what I did:
RewriteEngine on
RewriteRule .*/cmd.exe.* /nimda.txt
RewriteRule .*/root.exe.* /nimda.txt
RewriteRule .*/default.ida.* /codered.txt
RewriteRule .*/Admin.dll.* /codered.txt
RewriteRule .*\\Admin.dll.* /codered.txt
nimda.txt and codered.txt are simply empty files. This reduces the
bandwitdh used by the attack and removes the entries in error.log.
So the syntax is correct.
Note the default.ida entry for th code red worm (is that it?). I think
admin.dll is the same, but I'm not sure. Anyways, it doesn't make much
difference.
Here is a sample telnet output:
GET /default.ida HTTP/1.0
HTTP/1.1 200 OK
Date: Sun, 23 Sep 2001 17:46:27 GMT
Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a
Last-Modified: Sun, 23 Sep 2001 17:21:20 GMT
ETag: "1d161-0-3bae1a10"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/plain
- --AqsLC8rIMeq19msA
Content-Type: application/pgp-signature
Content-Disposition: inline
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjuuIS4ACgkQttcWHAnWiGe05QCbBGOS4Ze36RR/eGXqS+ASIIih
nwEAnAmNfOF5usyn072d8i+UreOEkpwI
=Z8qG
- -----END PGP SIGNATURE-----
- --AqsLC8rIMeq19msA--
------------------------------
Date: Sun, 23 Sep 2001 10:55:44 -0700
From: Jordan Hubbard <jkh@freebsd.org>
Subject: Re: ~/.login_conf disabling exact reasons wanted
> Yes, I do, but FreeBSD was 4.4 even before it was fixed.
FreeBSD wasn't 4.4 until it was released and all the tag sliding was
over with.
- - Jordan
------------------------------
Date: Sun, 23 Sep 2001 14:10:31 -0400
From: The Anarcat <anarcat@anarcat.dyndns.org>
Subject: Re: New worm protection
- --VrqPEDrXMn8OVzN4
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, 23 Sep 2001, David G Andersen wrote:
> Use mod_rewrite to redirect all accesses to that script.
>=20
> RewriteEngine on
> RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
>=20
> (I haven't tested this syntax. Test it first. :)
Unfortunatly, I tested this using a text file, which is fine. Here, if I
try using a compiled C script (instead of a perl script, faster on a
small machine), the script gets dumped in binary form! Not executed!
GET /root.exe
ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e=
lf.so.FreeBSD=C0=B6
=2E..
So I used the redirect approach:
RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.=
cgi
sleep.c:
int main() {
sleep(5);
printf("Content-type: text/plain\n\n");
}
This works. However, it generates a bit too much output:
GET /cmd.exe
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS>
</BODY></HTML>
;)
I really don't understand why the Rewrite rule doesn't work as expected.
A.
- --VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature
Content-Disposition: inline
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd
c+QAn324N8SSDAEyDviPsqrhDTujaXuP
=v3ql
- -----END PGP SIGNATURE-----
- --VrqPEDrXMn8OVzN4--
------------------------------
Date: Sun, 23 Sep 2001 12:18:43 -0600 (MDT)
From: David G Andersen <danderse@cs.utah.edu>
Subject: Re: New worm protection
Sorry, should have mentioned that I have all .cgi files mapped
to executables.
Have it map to your /cgi-bin like you want.
Name the script nph-<whatever> instead of just <whatever>, which
tells the webserver that your script will generate ALL of the
headers. Then the script can just close, and the worm
won't get _any_ output from the webserver.
Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect,
which is obviously not what you want. You want to internally
rewrite the URL so it gets handled transparently. Then, the
result is quite pleasing:
131 eep:~/> telnet webby.angio.net 80
Trying 206.197.119.138...
Connected to webby.angio.net.
Escape character is '^]'.
GET /scripts/cmd.exe? HTTP/1.0
Connection closed by foreign host.
See? Very nice. :)
Lo and behold, The Anarcat once said:
>
> On Sun, 23 Sep 2001, David G Andersen wrote:
>
> > Use mod_rewrite to redirect all accesses to that script.
> >=20
> > RewriteEngine on
> > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
> >=20
> > (I haven't tested this syntax. Test it first. :)
>
> Unfortunatly, I tested this using a text file, which is fine. Here, if I
> try using a compiled C script (instead of a perl script, faster on a
> small machine), the script gets dumped in binary form! Not executed!
>
> GET /root.exe
> ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e=
> lf.so.FreeBSD=C0=B6
> =2E..
>
> So I used the redirect approach:
>
> RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.=
> cgi
>
> sleep.c:
> int main() {
> sleep(5);
> printf("Content-type: text/plain\n\n");
> }
>
> This works. However, it generates a bit too much output:
>
> GET /cmd.exe
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>302 Found</TITLE>
> </HEAD><BODY>
> <H1>Found</H1>
> The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P>
> <HR>
> <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS>
> </BODY></HTML>
>
> ;)
>
> I really don't understand why the Rewrite rule doesn't work as expected.
>
> A.
>
> --VrqPEDrXMn8OVzN4
> Content-Type: application/pgp-signature
> Content-Disposition: inline
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd
> c+QAn324N8SSDAEyDviPsqrhDTujaXuP
> =v3ql
> -----END PGP SIGNATURE-----
>
> --VrqPEDrXMn8OVzN4--
>
- --
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
------------------------------
Date: Mon, 24 Sep 2001 04:34:06 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
Subject: Re: New worm protection
On Sun, 23 Sep 2001, Gregory Neil Shapiro wrote:
> smithi> Not an option here, but it's the large number of entries in
> smithi> *-error.log that I'd like to be rid of. *-access.log I can just
> smithi> grep out before log analysis, if not exclude in the analyser
> smithi> config.
>
> This is what I am using:
>
> RedirectMatch (.*)/(root.exe|cmd.exe|default.ida).* /goaway.html
> SetEnvIf Request_URI "/(root.exe|cmd.exe|default.ida|goaway.html)" MSExploitCrap
> CustomLog /var/log/httpd-access.log combined env=!MSExploitCrap
>
> And then /goaway.html is just a small file:
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
> <HTML><HEAD><TITLE>Go away</TITLE></HEAD><BODY></BODY></HTML>
>
> With this, nothing shows up in either httpd-access.log or httpd-error.log.
I like it, short and sweet.
Thankyou Greg. Thanks also to David Kirchner, David G Andersen, Steve
Ames and The Anarcat for lots of angles to explore .. but tomorrow.
Cheers, Ian
------------------------------
Date: Mon, 24 Sep 2001 03:43:53 +0900
From: horio shoichi <horio@pointer-software.com>
Subject: Re: Policy based routing/restricting access __inside__ ones net..
Stanley Hopcroft wrote:
>
> Dear Ladies and Gentlemen,
>
> I am writing to ask for advice about providing profile dependent access
> to subsets of ones internal network.
>
> The context is having third parties access the network for maintenance.
>
> Once they get logged in on the host they are hired to maintain, how can
> I prevent them accessing other hosts while allowing __some__ access to
> others they may need for problem resolution ? (given that both sets of
> hosts can be specified)
>
> Can a Kerberos realm enforce access profiles such as these (and then if
> they were forced to use only kerberised applications, grant them tickets
> for access to some hosts only) ?
>
If you mean by realm to split servers into possibly overlapping set of
realms each of which has separate set of principals (users and services)
and
users access servers through cross-realm authentication, I see no reason
it
doesn't work.
> Can ipfilter/ipfw provide ACLs depending on user ?
>
Ipfilter is so low level that it has no notion of user. It only
recognizes
protocol, ip and port. If a user (or users) could be bound to a specific
set of protocol, ip and port corresponding to an instance of service,
then access control might be possible. But I doubt doing this would
worth efforts.
> The access could include Solaris/FreeBSD/AIX servers as well as MS Win
> NT ...
>
> Thank you,
>
> Yours sincerely.
>
> --
> ------------------------------------------------------------------------
> Stanley Hopcroft IP Australia
> Network Specialist
> +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU
> ------------------------------------------------------------------------
> The study of non-linear physics is like the study of non-elephant
> biology.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
------------------------------
Date: Sun, 23 Sep 2001 14:52:10 -0400
From: The Anarcat <anarcat@anarcat.dyndns.org>
Subject: Re: New worm protection
- --NKoe5XOeduwbEQHU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, 23 Sep 2001, David G Andersen wrote:
> Sorry, should have mentioned that I have all .cgi files mapped
> to executables.
>
> Have it map to your /cgi-bin like you want.
I had cgi configuration problems. They're fixed. :)
> Name the script nph-<whatever> instead of just <whatever>, which
> tells the webserver that your script will generate ALL of the
> headers. Then the script can just close, and the worm
> won't get _any_ output from the webserver.
Interesting. I didn't know of this feature.
> Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect,
> which is obviously not what you want. You want to internally=20
> rewrite the URL so it gets handled transparently. Then, the=20
> result is quite pleasing:
>=20
> 131 eep:~/> telnet webby.angio.net 80
> Trying 206.197.119.138...
> Connected to webby.angio.net.
> Escape character is '^]'.
> GET /scripts/cmd.exe? HTTP/1.0
>=20
> Connection closed by foreign host.
>=20
> See? Very nice. :)
Very nice indeed. I have the same result here now. :) Without the perl
overhead. :) :)
A.
- --NKoe5XOeduwbEQHU
Content-Type: application/pgp-signature
Content-Disposition: inline
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjuuL1kACgkQttcWHAnWiGcipQCfdjLyAq5S39dvrHDU+s6kEGhu
F94An18y8UO0IV4Too1BiyI0XAFE8pek
=Q0/r
- -----END PGP SIGNATURE-----
- --NKoe5XOeduwbEQHU--
------------------------------
Date: Sun, 23 Sep 2001 14:13:31 -0700
From: faSty <fasty@i-sphere.com>
Subject: Re: New worm protection
can you give me sample of statment that closes without output from the
webserver.
I tried use your statement seems not work and it simply
envade almost all 500 domains on my webservers. ugh
I hope your sample can handle all domains not just one domain.
let me know thanks
- -trev
On Sun, Sep 23, 2001 at 12:18:43PM -0600, David G Andersen wrote:
> Sorry, should have mentioned that I have all .cgi files mapped
> to executables.
>
> Have it map to your /cgi-bin like you want.
>
> Name the script nph-<whatever> instead of just <whatever>, which
> tells the webserver that your script will generate ALL of the
> headers. Then the script can just close, and the worm
> won't get _any_ output from the webserver.
>
> Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect,
> which is obviously not what you want. You want to internally
> rewrite the URL so it gets handled transparently. Then, the
> result is quite pleasing:
>
> 131 eep:~/> telnet webby.angio.net 80
> Trying 206.197.119.138...
> Connected to webby.angio.net.
> Escape character is '^]'.
> GET /scripts/cmd.exe? HTTP/1.0
>
> Connection closed by foreign host.
>
> See? Very nice. :)
>
> Lo and behold, The Anarcat once said:
> >
> > On Sun, 23 Sep 2001, David G Andersen wrote:
> >
> > > Use mod_rewrite to redirect all accesses to that script.
> > >=20
> > > RewriteEngine on
> > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi
> > >=20
> > > (I haven't tested this syntax. Test it first. :)
> >
> > Unfortunatly, I tested this using a text file, which is fine. Here, if I
> > try using a compiled C script (instead of a perl script, faster on a
> > small machine), the script gets dumped in binary form! Not executed!
> >
> > GET /root.exe
> > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e=
> > lf.so.FreeBSD=C0=B6
> > =2E..
> >
> > So I used the redirect approach:
> >
> > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.=
> > cgi
> >
> > sleep.c:
> > int main() {
> > sleep(5);
> > printf("Content-type: text/plain\n\n");
> > }
> >
> > This works. However, it generates a bit too much output:
> >
> > GET /cmd.exe
> > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> > <HTML><HEAD>
> > <TITLE>302 Found</TITLE>
> > </HEAD><BODY>
> > <H1>Found</H1>
> > The document has moved <A HREF=3D"/cgi-bin/sleep.cgi">here</A>.<P>
> > <HR>
> > <ADDRESS>Apache/1.3.20 Server at anarcat.dyndns.org Port 80</ADDRESS>
> > </BODY></HTML>
> >
> > ;)
> >
> > I really don't understand why the Rewrite rule doesn't work as expected.
> >
> > A.
> >
> > --VrqPEDrXMn8OVzN4
> > Content-Type: application/pgp-signature
> > Content-Disposition: inline
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (FreeBSD)
> > Comment: For info see http://www.gnupg.org
> >
> > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd
> > c+QAn324N8SSDAEyDviPsqrhDTujaXuP
> > =v3ql
> > -----END PGP SIGNATURE-----
> >
> > --VrqPEDrXMn8OVzN4--
> >
>
>
> --
> work: dga@lcs.mit.edu me: dga@pobox.com
> MIT Laboratory for Computer Science http://www.angio.net/
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
- --
The primary theme of SoupCon is communication. The acronym "LEO"
represents the secondary theme:
Law Enforcement Officials
The overall theme of SoupCon shall be:
Avoiding Communication with Law Enforcement Officials
------------------------------
Date: Sun, 23 Sep 2001 14:00:10 -0700 (PDT)
From: David Kirchner <davidk@accretivetg.com>
Subject: Re: New worm protection
Would it be possible to create an accept-filter module (ala accf_http)
that could take care of these and future similar filters, server-wide?
------------------------------
Date: Mon, 24 Sep 2001 01:24:41 +0200
From: "Karl M. Joch" <k.joch@kmjeuro.com>
Subject: Re: New worm protection
I have made a quick and may dirty solution which helps me alot on the
servers. it handles multiple error files. my error files are resetted onec
every 24h. so i dont get to big files.
############################################
# include trailing / in run & wrk
$run = "/usr/local/blockwins/";
$wrk = "/usr/local/blockwins/data/"; # create it in advance
$logfiles = "/usr/local/blockwins/logfiles"; # made by ls
/var/log/your-apache-error-logs
$domfile = "IPs";
$rule = "50"; # the ipfw rule you want to use
#*************************************************** end of config
# Datum vorfuellen:
chop($dat=`date "+%y/%m/%d %H:%M"`);
$cnt=0; # ips
$cnto=0; # ips old
$cnt2=0; # access
# create domain/register file if non existent:
dbmopen (%domains,"$wrk$domfile",0640);
dbmclose (%domains);
dbmopen (%domains,"$wrk$domfile",0640);
# GET OUR LOGFILES
open ("INPUT",$logfiles) || die "$0: cannot open $logfiles !\n";
while (<INPUT>) {
chop ($_);
open ("LOG",$_) || die "cannot open $_! \n";
while (<LOG>) {
## [Mon Sep 10 10:38:43 2001] [error] [client 193.215.176.192] File does
not exist: /usr/local/www/default.ida
$virus=0;
if (/winnt/) { $virus=1;};
if (/root.exe/) { $virus=1;};
if (/cmd.exe/) { $virus=1;};
if (/default.ida/) { $virus=1;};
if ($virus) {
#block them:
$results=$_;
$results=~ s/.*client ([0-9.]+).*\/(.*)$/$1##$2/;
($ip,$comm) = split(/##/,$results);
if ( $domains{$ip}) {
$cnt2++;
$domains{$ip}=$comm; ## last command
}
else {
$cnt++;
$domains{$ip}=$comm; ## last command
}
}
}
}
print
"########################################################################\n"
;
print "Angriffe von Code Red/Nimda \n";
print
"########################################################################\n"
;
print "DIFFERNT IPs: $cnt\n";
print
"########################################################################\n"
;
print "TOTAL ACCESS: $cnt2\n";
print
"########################################################################\n"
;
close (INPUT);
# NOW LETS CHECK EVERYTHING:
# clear the one rule:
@args = ("/sbin/ipfw $rule delete");
system(@args) == 0 or print "system @args failed: $?\n";
# add all of our idiots:
foreach $dom (sort keys %domains) {
$cnto++;
# print "$dom - denied access to the server with rule $rule\n";
@args = ("/sbin/ipfw $rule add deny all from $dom to any
>/dev/null");
system(@args) == 0 or die "system @args failed: $?";
}
print
"########################################################################\n"
;
print "All Rules (Total IPS: $cnto) added to Firewall\n";
print "Known Windows Systems denied access!\n";
print
"########################################################################\n"
;
dbmclose (%domains);
- --
- --
Best regards / Mit freundlichen Gruessen,
Karl M. Joch
KMJ Consulting - CTS Consulting & Trade Service
http://www.kmjeuro.com - http://www.ctseuro.com
k.joch@kmjeuro.com - k.joch@ctseuro.com
GSM : +43-664-3407888
Unsere Services:
http://www.proline.at - Netzwerk und Sicherheitstechnik
http://www.eushop.net - Onlineshop und Applikationen einfach mieten
http://www.freebsd.at - Power Operating System
- ----- Original Message -----
From: "David Kirchner" <davidk@accretivetg.com>
To: <freebsd-security@FreeBSD.ORG>
Sent: Sunday, September 23, 2001 11:00 PM
Subject: Re: New worm protection
> Would it be possible to create an accept-filter module (ala accf_http)
> that could take care of these and future similar filters, server-wide?
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
------------------------------
Date: Sun, 23 Sep 2001 17:02:41 -0700
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Subject: Re: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted)
In message <20010923161354.A426@nagual.pp.ru>, "Andrey A. Chernov"
writes:
> On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote:
>
> > I'll work on the proper fix tomorrow.
>
>
> Planned for commit. Please, review and/or comment.
>
> --- login_cap.c.old Sun Sep 23 16:09:04 2001
> +++ login_cap.c Sun Sep 23 16:06:19 2001
> @@ -184,18 +184,17 @@
> login_cap_t *lc;
>
> if ((lc = malloc(sizeof(login_cap_t))) != NULL) {
> - int r, i = 0;
> + int r, me, i = 0;
> uid_t euid = 0;
> gid_t egid = 0;
> const char *msg = NULL;
> - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir;
> + const char *dir;
> char userpath[MAXPATHLEN];
>
> static char *login_dbarray[] = { NULL, NULL, NULL };
>
> -#ifndef _FILE_LOGIN_CONF_WORKS
> - dir = NULL;
> -#endif
> + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0);
> + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir;
> /*
> * Switch to user mode before checking/reading its ~/.login_conf
> * - some NFSes have root read access disabled.
> @@ -215,7 +214,7 @@
> if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1)
> i++; /* only use 'secure' data */
> }
> - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1)
> + if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1)
> login_dbarray[i++] = _PATH_LOGIN_CONF;
> login_dbarray[i] = NULL;
>
> @@ -227,7 +226,7 @@
>
> switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) {
> case -1: /* Failed, entry does not exist */
> - if (strcmp(name, LOGIN_MECLASS) == 0)
> + if (me)
> break; /* Don't retry default on 'me' */
> if (i == 0)
> r = -1;
After applying the patch and building world the following are logged to
syslog.
Sep 23 13:40:00 cwtest /usr/sbin/cron[17208]: login_getclass: unknown
class 'root'
Sep 23 13:40:00 cwtest /usr/sbin/cron[17207]: login_getclass: unknown
class 'daemon'
Sep 23 13:40:00 cwtest inetd[17213]: login_getclass: unknown class
'daemon'
Rsh between hosts behind my firewall here at home work however rsync,
which uses rsh, does not, an EOF error is displayed.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC
------------------------------
End of security-digest V5 #289
******************************
To Unsubscribe: send mail to majordomo@FreeBSD.org
with unsubscribe freebsd-security-digest in the body of the message
--f8O3fAi21562.1001304083/au.dk--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109240401.f8O3fAi21562>