Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > probes to port 80

Reply
Thread Tools

probes to port 80

 
 
yahoo serious
Guest
Posts: n/a
 
      01-25-2004
Some 'desparate' hack is trying to break into my machine through my
webserver thinking I'm running some unpatched version of IIS. Fortunately
I'm just playing with Apache. However the 'individual' is fairly persistent
(20 attempts over a 10 minute period). Is there a way to identify the
culprit or at least warn the ISP that they have an issue. Using the Sam
Spade site did not uncover much ..only a reverse dns lookup for IP
69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. My apache error log
list of the attempts follows. For most request for these kinds of files I've
redirected the request to IP 127.0.0.1 (someone suggested a microsoft site
instead ) but there seem to be too many variations to handle all the
kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a
malicious script page instead.). To reply directly un-mung ( remove _mung)
the email address.

[Sat Jan 24 11:46:13 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/msadc/root.exe
[Sat Jan 24 11:46:23 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe
[Sat Jan 24 11:46:26 2004] [error] [client 69.140.105.5] File does not
exist:
/webshare/wwwroot/removed_pages/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cm
d.exe
[Sat Jan 24 11:46:33 2004] [error] [client 69.140.105.5] File does not
exist:
/webshare/wwwroot/removed_pages/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cm
d.exe
[Sat Jan 24 11:46:36 2004] [error] [client 69.140.105.5] File does not
exist:
/webshare/wwwroot/removed_pages/msadc/..%5c/..%5c/..%5c/../../../winnt
/system32/cmd.exe
[Sat Jan 24 11:46:42 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/../winnt/system32/cmd.exe
[Sat Jan 24 11:46:49 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/../winnt/system32/cmd.exe
[Sat Jan 24 11:46:52 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/..o/winnt/system32/cmd.exe
[Sat Jan 24 11:47:02 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe
[Sat Jan 24 11:47:05 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/..%2f/winnt/system32/cmd.exe
[Sat Jan 24 11:53:33 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/msadc/root.exe
[Sat Jan 24 11:53:46 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe
[Sat Jan 24 11:53:49 2004] [error] [client 69.140.105.5] File does not
exist:
/webshare/wwwroot/removed_pages/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cm
d.exe
[Sat Jan 24 11:53:52 2004] [error] [client 69.140.105.5] File does not
exist:
/webshare/wwwroot/removed_pages/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cm
d.exe
[Sat Jan 24 11:53:55 2004] [error] [client 69.140.105.5] File does not
exist:
/webshare/wwwroot/removed_pages/msadc/..%5c/..%5c/..%5c/../../../winnt
/system32/cmd.exe
[Sat Jan 24 11:53:59 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/../winnt/system32/cmd.exe
[Sat Jan 24 11:54:05 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/../winnt/system32/cmd.exe
[Sat Jan 24 11:54:08 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/..o/winnt/system32/cmd.exe
[Sat Jan 24 11:54:18 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe
[Sat Jan 24 11:54:21 2004] [error] [client 69.140.105.5] File does not
exist: /webshare/wwwroot/removed_pages/scripts/..%2f/winnt/system32/cmd.exe


 
Reply With Quote
 
 
 
 
Hairy One Kenobi
Guest
Posts: n/a
 
      01-25-2004
"yahoo serious" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Some 'desparate' hack is trying to break into my machine through my
> webserver thinking I'm running some unpatched version of IIS. Fortunately
> I'm just playing with Apache. However the 'individual' is fairly

persistent
> (20 attempts over a 10 minute period). Is there a way to identify the
> culprit or at least warn the ISP that they have an issue. Using the Sam
> Spade site did not uncover much ..only a reverse dns lookup for IP
> 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net.


<snip>

A desperate script would be more likely. ADVwhois reports the block owner as
Comcast - which is who you'd want to report it to, if you're that way
inclined.

No longer familiar enough with Apache to know what sort of
filtering/redirection you can do (there are lots of different possible IIS
exploits, all/most of which should have been patched long ago). I've had
about 9000-odd blocked requests myself since the middle of June (and, no, I
don't use IIS either..)

There are a few Apache froups that might be able to give specific
recommendations, if you are looking to do something more..uhm.. proactive.
OTOH, it'll probably only lead to someone taking a look manually..

HTH

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


 
Reply With Quote
 
 
 
 
Ben Measures
Guest
Posts: n/a
 
      01-26-2004
yahoo serious wrote:
> Some 'desparate' hack is trying to break into my machine through my
> webserver thinking I'm running some unpatched version of IIS. Fortunately
> I'm just playing with Apache. However the 'individual' is fairly persistent
> (20 attempts over a 10 minute period). Is there a way to identify the
> culprit or at least warn the ISP that they have an issue. Using the Sam
> Spade site did not uncover much ..only a reverse dns lookup for IP
> 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. My apache error log
> list of the attempts follows. For most request for these kinds of files I've
> redirected the request to IP 127.0.0.1 (someone suggested a microsoft site
> instead ) but there seem to be too many variations to handle all the
> kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a
> malicious script page instead.). To reply directly un-mung ( remove _mung)
> the email address.


> Is there a way to identify the culprit

Not really. If you do find out I'm sure the RIAA would like to know

> or at least warn the ISP that they have an issue.

Maybe. The problem is, they might not consider it an issue - comcast.net
is a big network. Here is what I found on whois:
# jwhois 69.140.105.5
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Comcast Cable Communications, Inc.
OrgID: CMCS
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US

NetRange: 69.136.0.0 - 69.140.255.255
CIDR: 69.136.0.0/14, 69.140.0.0/16
NetName: JUMPSTART-3
NetHandle: NET-69-136-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: DNS01.JDC01.PA.COMCAST.NET
NameServer: DNS02.JDC01.PA.COMCAST.NET
Comment:
RegDate: 2003-04-24
Updated: 2003-11-05

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: http://www.velocityreviews.com/forums/(E-Mail Removed)

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail: (E-Mail Removed)


The only thing I can suggest you can do is to block the ip address at
the kernel level. Then the attacks won't even reach apache even if it
isn't vunerable, the advantage being smaller logs, fewer processor
cycles used, and fewer 404s uploaded.

Since the offender isn't sending too much data to you, I wouldn't worry
too much about it.

--
Ben M.

----------------
What are Software Patents for?
To protect the small enterprise from bigger companies.

What do Software Patents do?
In its current form, they protect only companies with
big legal departments as they:
a.) Patent everything no matter how general
b.) Sue everybody. Even if the patent can be argued
invalid, small companies can ill-afford the
typical $500k cost of a law-suit (not to mention
years of harassment).

Don't let them take away your right to program
whatever you like. Make a stand on Software Patents
before its too late.

Read about the ongoing battle at http://swpat.ffii.org/
----------------

 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      01-26-2004
On Mon, 26 Jan 2004 05:06:59 +0000, Ben Measures
<(E-Mail Removed)> wrote:

>Not really. If you do find out I'm sure the RIAA would like to know


well its easy enough to see people are using kaaza

(apart from their computers being ****ed up by spyware
and virii)
--
Jim Watt http://www.gibnet.com
 
Reply With Quote
 
keydet
Guest
Posts: n/a
 
      01-26-2004
> Some 'desparate' hack is trying to break into my machine through my
> webserver thinking I'm running some unpatched version of IIS. Fortunately
> I'm just playing with Apache. However the 'individual' is fairly persistent
> (20 attempts over a 10 minute period).



> Is there a way to identify the
> culprit or at least warn the ISP that they have an issue. Using the Sam
> Spade site did not uncover much ..only a reverse dns lookup for IP
> 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net.


Looks like you did a pretty good job of identifying the culprit. From
the hostname, it looks as though this individual is using ComCast out
of Rockville, MD.


> My apache error log
> list of the attempts follows. For most request for these kinds of files I've
> redirected the request to IP 127.0.0.1 (someone suggested a microsoft site
> instead ) but there seem to be too many variations to handle all the
> kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a
> malicious script page instead.).


Why not simply let it go, or use a router or firewall to block the IP
range?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TCP Keep Alive probes grant_holler@yahoo.com Java 1 07-11-2005 07:40 AM
Overhead of 4-port over 2-port SRAM John T. Goodman VHDL 0 01-25-2005 04:27 PM
Microsoft probes Windows code leak Steve H. Computer Security 4 02-13-2004 07:39 PM
Odd Port 135 Probes? Chuck Computer Security 1 01-22-2004 02:18 AM
about "match ip rtp starting-port-number port-range" Weiguang Shi Cisco 1 10-25-2003 07:14 AM



Advertisments