Date: Sat, 10 Jan 2004 17:23:39 -0500 From: "David Edwards" <david@deassociates.com> To: <freebsd-security@freebsd.org> Subject: Need some help on security Message-ID: <000701c3d7c8$697a4e40$6400a8c0@winxp1700>
next in thread | raw e-mail | index | archive | help
Hello all. I am new to the list and relitively new to FreeBSD. I currently have a server running 4.8 as a dedicated server with cPanel added as a way to speed up the creation of sites and such on the server. I host only a couple of site because I do this in my spare time and don't know enough to be a paid participant in the hosting community. Anyway, on to the question, lastnight, the server stopped responding after someone tried to gain access to what looks to be web based printing. I am not familiar with any firewall/IDS solutions and have looked over Snort and IPFW today. I don't want to do IPFW because I don't want to recompile a kernel that works and potentially lose everything I have done so far. Here is a bit of the apache error_log which shows the issue i am refering to: [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/dbcenter/public_html/NULL.printer [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/seekers/public_html/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/seekers/public_html/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml I also have a few entries where they are trying to get to a command prompt and trying to do some sort of weirdness with IIS: [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/scripts/nsiislog.dll [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/404.shtml [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/scripts/nsiislog.dll [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/404.shtml [Thu Jan 8 07:00:07 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/root.exe [Thu Jan 8 07:00:07 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:11 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/MSADC/root.exe [Thu Jan 8 07:00:11 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:15 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/c/winnt/system32/cmd.exe [Thu Jan 8 07:00:15 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:19 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/d/winnt/system32/cmd.exe [Thu Jan 8 07:00:19 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:23 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%5c../winnt/system32/cmd.exe [Thu Jan 8 07:00:23 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:28 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/_vti_bin/..%5c../..%5c../..%5c../winnt/system 32/cmd.exe [Thu Jan 8 07:00:28 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:31 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/_mem_bin/..%5c../..%5c../..%5c../winnt/system 32/cmd.exe [Thu Jan 8 07:00:31 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:36 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe [Thu Jan 8 07:00:36 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:40 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..Á ../winnt/system32/cmd.exe [Thu Jan 8 07:00:40 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:44 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:48 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..À¯../winnt/system32/cmd.exe [Thu Jan 8 07:00:48 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:53 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..Áo../winnt/system32/cmd.exe [Thu Jan 8 07:00:53 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:57 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/400.shtml [Thu Jan 8 07:01:01 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/400.shtml [Thu Jan 8 07:01:05 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%5c../winnt/system32/cmd.exe [Thu Jan 8 07:01:05 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:01:10 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%2f../winnt/system32/cmd.exe [Thu Jan 8 07:01:10 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml Can anyone offer me a bif of advice on how to block such IP addresses within FreeBSD and some sort of firewall type setup that is fairly easy and quick to setup as well as create new filtering rules for? Thanks in advance for any help in this matter. Also, all the missing errors like the 404, 400 and such are now cleared up. Created the pages for the errors. David Edwards david@deassociates.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.551 / Virus Database: 343 - Release Date: 12/11/2003
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c3d7c8$697a4e40$6400a8c0>