Date: Mon, 22 Oct 2001 17:27:10 -0400 From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> To: freebsd-questions@FreeBSD.org Subject: Re: attackers! How do I know whether or not they were successful? Message-ID: <20011022172710.A36179@acadia.ne.mediaone.net> In-Reply-To: <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry I don't have the actual message to reply to, but I got kicked off the list this weekend because my ISP hosed its dns server <GRRR>. Anyone know of a dns service that can serve a domain to a DHCP IP? Anyway, here is the message quoted from the Archives: ------------------------------------------------------------------ > Date: Sat, 20 Oct 2001 14:34:10 -0500 > From: Michael MacKinnon <mackinnon.m@home.com> > To: freebsd-questions@FreeBSD.ORG > Subject: attackers! How do I know whether or not they were successful? > Message-ID: <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com> > I noticed in my logs what appears to be an attempt to try a buffer > overflow in my apache logs. > I've included the excerpts from my logs below for reference. > My questions: > 1) I haven't opened up port 80 with my firewall. How did they connect? > Is there > a problem with my rules? (I've included those below for reference as > well) I looked at the log entry. Is this the only one you got? did you get any looking for any 'root.exe' or 'shell.exe' or such things? Those would likely be the Nimda worm trying to spread. What you have is the CodeRed or CodeRed II worm as someone else already suggested. You can ignore this if you like or you can handle it by reporting it to the abuse authorities for that domain. They will (presumably) inform someone administering the machine that it is infected. > 2) How can I tell how successful the attempt was? It wasn't if you are not running IIS on a Win$ O$. > 3) Any ideas what the attempt was trying to do? Is this a known > exploit? Where would I find out? Someone else gave you a good link. You can also get a bit of info here: http://acadia.ne.mediaone.net/Nimda/ It was offline this past weekend, thanks to my ISP, but it's back. I also have links to the handlers that would automatically send complaints to the abuse authorities. > 4) What do I do now? Anything else I should do? You can handle it or ignore it. Won't matter. If you run a lightly loaded server, I'd suggest helping to keep the infections reported with one or both of the handlers you can see at the link above. If you are running a heavily loaded server, just use the suggestions on that page to eliminate the log file overflow that will result from the two worms (especially Nimda). > My Firewall Rules: > block in on dc0 > block in log quick on dc0 from 192.168.0.0/16 to any > block in log quick on dc0 from 172.16.0.0/12 to any > block in log quick on dc0 from 10.0.0.0/8 to any > block in log quick on dc0 from 127.0.0.0/8 to any > block in log quick on dc0 from <my ip address>/32 to any > # allow my own network stuff to get out > pass out quick on dc0 proto tcp/udp from 192.168.0.0/24 to any > keep state > pass out quick on dc0 proto icmp from 192.168.0.0/24 to any > keep state > pass out quick on dc0 proto tcp/udp from <my ip address>/32 to any > keep state Someone else already mentioned the kernel default behavior. You should have the default set to deny so that you can explicitly allow only what you want thru. Try looking at the cheat sheets at http://www.mostgraveconcern.com/freebsd/ I found them most helpful. > httpd-error contents: > [Sat Oct 19 13:25:07 2001] [error] [client 131.123.8.178] Client sent > malformed Host header > > httpd-access contents: > 131.123.8.178 - - [19/Oct/2001:13:25:07 -0700] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% > u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u > 0000%u00=a HTTP/1.0" 400 341 "-" "-" Yup. That's CodeRed. I'm surprised there are any of these still out there. I haven't seen one since 10/10. I think most of them have either been cleaned out or taken over by Nimda. That one's worse because it can spread so many different ways, and it uses roughly 16 separate URLs to try to get into an IIS server. Good luck Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Too much is just enough. -- Mark Twain, on whiskey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011022172710.A36179>