|
|
|
|
01-25-2004, 03:32 AM
|
#1 |
probes to port 80
Some 'desparate' hack is trying to break into my machine through my
webserver thinking I'm running some unpatched version of IIS. Fortunately I'm just playing with Apache. However the 'individual' is fairly persistent (20 attempts over a 10 minute period). Is there a way to identify the culprit or at least warn the ISP that they have an issue. Using the Sam Spade site did not uncover much ..only a reverse dns lookup for IP 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. My apache error log list of the attempts follows. For most request for these kinds of files I've redirected the request to IP 127.0.0.1 (someone suggested a microsoft site instead  ) but there seem to be too many variations to handle all thekinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a malicious script page instead.). To reply directly un-mung ( remove _mung) the email address. [Sat Jan 24 11:46:13 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/msadc/root.exe [Sat Jan 24 11:46:23 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe [Sat Jan 24 11:46:26 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cm d.exe [Sat Jan 24 11:46:33 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cm d.exe [Sat Jan 24 11:46:36 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/msadc/..%5c/..%5c/..%5c/..Á /..Á /..Á /winnt /system32/cmd.exe [Sat Jan 24 11:46:42 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..Á /winnt/system32/cmd.exe [Sat Jan 24 11:46:49 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..À¯/winnt/system32/cmd.exe [Sat Jan 24 11:46:52 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..Áo/winnt/system32/cmd.exe [Sat Jan 24 11:47:02 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe [Sat Jan 24 11:47:05 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..%2f/winnt/system32/cmd.exe [Sat Jan 24 11:53:33 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/msadc/root.exe [Sat Jan 24 11:53:46 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe [Sat Jan 24 11:53:49 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cm d.exe [Sat Jan 24 11:53:52 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cm d.exe [Sat Jan 24 11:53:55 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/msadc/..%5c/..%5c/..%5c/..Á /..Á /..Á /winnt /system32/cmd.exe [Sat Jan 24 11:53:59 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..Á /winnt/system32/cmd.exe [Sat Jan 24 11:54:05 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..À¯/winnt/system32/cmd.exe [Sat Jan 24 11:54:08 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..Áo/winnt/system32/cmd.exe [Sat Jan 24 11:54:18 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe [Sat Jan 24 11:54:21 2004] [error] [client 69.140.105.5] File does not exist: /webshare/wwwroot/removed_pages/scripts/..%2f/winnt/system32/cmd.exe yahoo serious |
|
|
|
01-25-2004, 10:45 AM
|
#2 |
|
Posts: n/a
|
Re: probes to port 80
"yahoo serious" <> wrote in message
news:... > Some 'desparate' hack is trying to break into my machine through my > webserver thinking I'm running some unpatched version of IIS. Fortunately > I'm just playing with Apache. However the 'individual' is fairly persistent > (20 attempts over a 10 minute period). Is there a way to identify the > culprit or at least warn the ISP that they have an issue. Using the Sam > Spade site did not uncover much ..only a reverse dns lookup for IP > 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. <snip> A desperate script would be more likely. ADVwhois reports the block owner as Comcast - which is who you'd want to report it to, if you're that way inclined. No longer familiar enough with Apache to know what sort of filtering/redirection you can do (there are lots of different possible IIS exploits, all/most of which should have been patched long ago). I've had about 9000-odd blocked requests myself since the middle of June (and, no, I don't use IIS either..) There are a few Apache froups that might be able to give specific recommendations, if you are looking to do something more..uhm.. proactive. OTOH, it'll probably only lead to someone taking a look manually.. HTH Hairy One Kenobi Disclaimer: the opinions expressed in this opinion do not necessarily reflect the opinions of the highly-opinionated person expressing the opinion in the first place. So there! |
|
|
|
01-26-2004, 05:06 AM
|
#3 |
|
Posts: n/a
|
Re: probes to port 80
yahoo serious wrote:
> Some 'desparate' hack is trying to break into my machine through my > webserver thinking I'm running some unpatched version of IIS. Fortunately > I'm just playing with Apache. However the 'individual' is fairly persistent > (20 attempts over a 10 minute period). Is there a way to identify the > culprit or at least warn the ISP that they have an issue. Using the Sam > Spade site did not uncover much ..only a reverse dns lookup for IP > 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. My apache error log > list of the attempts follows. For most request for these kinds of files I've > redirected the request to IP 127.0.0.1 (someone suggested a microsoft site > instead ) but there seem to be too many variations to handle all the> kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a > malicious script page instead.). To reply directly un-mung ( remove _mung) > the email address. > Is there a way to identify the culprit Not really. If you do find out I'm sure the RIAA would like to know  > or at least warn the ISP that they have an issue. Maybe. The problem is, they might not consider it an issue - comcast.net is a big network. Here is what I found on whois: # jwhois 69.140.105.5 [Querying whois.arin.net] [whois.arin.net] OrgName: Comcast Cable Communications, Inc. OrgID: CMCS Address: 3 Executive Campus Address: 5th Floor City: Cherry Hill StateProv: NJ PostalCode: 08002 Country: US NetRange: 69.136.0.0 - 69.140.255.255 CIDR: 69.136.0.0/14, 69.140.0.0/16 NetName: JUMPSTART-3 NetHandle: NET-69-136-0-0-1 Parent: NET-69-0-0-0-0 NetType: Direct Allocation NameServer: DNS01.JDC01.PA.COMCAST.NET NameServer: DNS02.JDC01.PA.COMCAST.NET Comment: RegDate: 2003-04-24 Updated: 2003-11-05 OrgAbuseHandle: NAPO-ARIN OrgAbuseName: Network Abuse and Policy Observance OrgAbusePhone: +1-856-317-7272 OrgAbuseEmail: OrgTechHandle: IC161-ARIN OrgTechName: Comcast Cable Communications Inc OrgTechPhone: +1-856-317-7200 OrgTechEmail: cips_ip- The only thing I can suggest you can do is to block the ip address at the kernel level. Then the attacks won't even reach apache even if it isn't vunerable, the advantage being smaller logs, fewer processor cycles used, and fewer 404s uploaded. Since the offender isn't sending too much data to you, I wouldn't worry too much about it. -- Ben M. ---------------- What are Software Patents for? To protect the small enterprise from bigger companies. What do Software Patents do? In its current form, they protect only companies with big legal departments as they: a.) Patent everything no matter how general b.) Sue everybody. Even if the patent can be argued invalid, small companies can ill-afford the typical $500k cost of a law-suit (not to mention years of harassment). Don't let them take away your right to program whatever you like. Make a stand on Software Patents before its too late. Read about the ongoing battle at http://swpat.ffii.org/ ---------------- |
|
|
|
01-26-2004, 08:32 AM
|
#4 |
|
Posts: n/a
|
Re: probes to port 80
On Mon, 26 Jan 2004 05:06:59 +0000, Ben Measures
<> wrote: >Not really. If you do find out I'm sure the RIAA would like to know well its easy enough to see people are using kaaza (apart from their computers being ****ed up by spyware and virii) -- Jim Watt http://www.gibnet.com |
|
|
|
01-26-2004, 03:35 PM
|
#5 |
|
Posts: n/a
|
Re: probes to port 80
> Some 'desparate' hack is trying to break into my machine through my
> webserver thinking I'm running some unpatched version of IIS. Fortunately > I'm just playing with Apache. However the 'individual' is fairly persistent > (20 attempts over a 10 minute period). > Is there a way to identify the > culprit or at least warn the ISP that they have an issue. Using the Sam > Spade site did not uncover much ..only a reverse dns lookup for IP > 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. Looks like you did a pretty good job of identifying the culprit. From the hostname, it looks as though this individual is using ComCast out of Rockville, MD. > My apache error log > list of the attempts follows. For most request for these kinds of files I've > redirected the request to IP 127.0.0.1 (someone suggested a microsoft site > instead ) but there seem to be too many variations to handle all the> kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a > malicious script page instead.). Why not simply let it go, or use a router or firewall to block the IP range? |
|
|
