probes to port 80

Discussion in 'Computer Security' started by yahoo serious, Jan 25, 2004.

  1. Some 'desparate' hack is trying to break into my machine through my
    webserver thinking I'm running some unpatched version of IIS. Fortunately
    I'm just playing with Apache. However the 'individual' is fairly persistent
    (20 attempts over a 10 minute period). Is there a way to identify the
    culprit or at least warn the ISP that they have an issue. Using the Sam
    Spade site did not uncover much ..only a reverse dns lookup for IP
    69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. My apache error log
    list of the attempts follows. For most request for these kinds of files I've
    redirected the request to IP 127.0.0.1 (someone suggested a microsoft site
    instead :) ) but there seem to be too many variations to handle all the
    kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a
    malicious script page instead.). To reply directly un-mung ( remove _mung)
    the email address.

    [Sat Jan 24 11:46:13 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/msadc/root.exe
    [Sat Jan 24 11:46:23 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe
    [Sat Jan 24 11:46:26 2004] [error] [client 69.140.105.5] File does not
    exist:
    /webshare/wwwroot/removed_pages/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cm
    d.exe
    [Sat Jan 24 11:46:33 2004] [error] [client 69.140.105.5] File does not
    exist:
    /webshare/wwwroot/removed_pages/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cm
    d.exe
    [Sat Jan 24 11:46:36 2004] [error] [client 69.140.105.5] File does not
    exist:
    /webshare/wwwroot/removed_pages/msadc/..%5c/..%5c/..%5c/..Á/..Á/..Á/winnt
    /system32/cmd.exe
    [Sat Jan 24 11:46:42 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..Á/winnt/system32/cmd.exe
    [Sat Jan 24 11:46:49 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..À¯/winnt/system32/cmd.exe
    [Sat Jan 24 11:46:52 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..Áo/winnt/system32/cmd.exe
    [Sat Jan 24 11:47:02 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe
    [Sat Jan 24 11:47:05 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..%2f/winnt/system32/cmd.exe
    [Sat Jan 24 11:53:33 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/msadc/root.exe
    [Sat Jan 24 11:53:46 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe
    [Sat Jan 24 11:53:49 2004] [error] [client 69.140.105.5] File does not
    exist:
    /webshare/wwwroot/removed_pages/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cm
    d.exe
    [Sat Jan 24 11:53:52 2004] [error] [client 69.140.105.5] File does not
    exist:
    /webshare/wwwroot/removed_pages/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cm
    d.exe
    [Sat Jan 24 11:53:55 2004] [error] [client 69.140.105.5] File does not
    exist:
    /webshare/wwwroot/removed_pages/msadc/..%5c/..%5c/..%5c/..Á/..Á/..Á/winnt
    /system32/cmd.exe
    [Sat Jan 24 11:53:59 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..Á/winnt/system32/cmd.exe
    [Sat Jan 24 11:54:05 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..À¯/winnt/system32/cmd.exe
    [Sat Jan 24 11:54:08 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..Áo/winnt/system32/cmd.exe
    [Sat Jan 24 11:54:18 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..%5c/winnt/system32/cmd.exe
    [Sat Jan 24 11:54:21 2004] [error] [client 69.140.105.5] File does not
    exist: /webshare/wwwroot/removed_pages/scripts/..%2f/winnt/system32/cmd.exe
     
    yahoo serious, Jan 25, 2004
    #1
    1. Advertising

  2. "yahoo serious" <> wrote in message
    news:...
    > Some 'desparate' hack is trying to break into my machine through my
    > webserver thinking I'm running some unpatched version of IIS. Fortunately
    > I'm just playing with Apache. However the 'individual' is fairly

    persistent
    > (20 attempts over a 10 minute period). Is there a way to identify the
    > culprit or at least warn the ISP that they have an issue. Using the Sam
    > Spade site did not uncover much ..only a reverse dns lookup for IP
    > 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net.


    <snip>

    A desperate script would be more likely. ADVwhois reports the block owner as
    Comcast - which is who you'd want to report it to, if you're that way
    inclined.

    No longer familiar enough with Apache to know what sort of
    filtering/redirection you can do (there are lots of different possible IIS
    exploits, all/most of which should have been patched long ago). I've had
    about 9000-odd blocked requests myself since the middle of June (and, no, I
    don't use IIS either..)

    There are a few Apache froups that might be able to give specific
    recommendations, if you are looking to do something more..uhm.. proactive.
    OTOH, it'll probably only lead to someone taking a look manually..

    HTH

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Jan 25, 2004
    #2
    1. Advertising

  3. yahoo serious

    Ben Measures Guest

    yahoo serious wrote:
    > Some 'desparate' hack is trying to break into my machine through my
    > webserver thinking I'm running some unpatched version of IIS. Fortunately
    > I'm just playing with Apache. However the 'individual' is fairly persistent
    > (20 attempts over a 10 minute period). Is there a way to identify the
    > culprit or at least warn the ISP that they have an issue. Using the Sam
    > Spade site did not uncover much ..only a reverse dns lookup for IP
    > 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. My apache error log
    > list of the attempts follows. For most request for these kinds of files I've
    > redirected the request to IP 127.0.0.1 (someone suggested a microsoft site
    > instead :) ) but there seem to be too many variations to handle all the
    > kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a
    > malicious script page instead.). To reply directly un-mung ( remove _mung)
    > the email address.


    > Is there a way to identify the culprit

    Not really. If you do find out I'm sure the RIAA would like to know ;)

    > or at least warn the ISP that they have an issue.

    Maybe. The problem is, they might not consider it an issue - comcast.net
    is a big network. Here is what I found on whois:
    # jwhois 69.140.105.5
    [Querying whois.arin.net]
    [whois.arin.net]

    OrgName: Comcast Cable Communications, Inc.
    OrgID: CMCS
    Address: 3 Executive Campus
    Address: 5th Floor
    City: Cherry Hill
    StateProv: NJ
    PostalCode: 08002
    Country: US

    NetRange: 69.136.0.0 - 69.140.255.255
    CIDR: 69.136.0.0/14, 69.140.0.0/16
    NetName: JUMPSTART-3
    NetHandle: NET-69-136-0-0-1
    Parent: NET-69-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS01.JDC01.PA.COMCAST.NET
    NameServer: DNS02.JDC01.PA.COMCAST.NET
    Comment:
    RegDate: 2003-04-24
    Updated: 2003-11-05

    OrgAbuseHandle: NAPO-ARIN
    OrgAbuseName: Network Abuse and Policy Observance
    OrgAbusePhone: +1-856-317-7272
    OrgAbuseEmail:

    OrgTechHandle: IC161-ARIN
    OrgTechName: Comcast Cable Communications Inc
    OrgTechPhone: +1-856-317-7200
    OrgTechEmail:


    The only thing I can suggest you can do is to block the ip address at
    the kernel level. Then the attacks won't even reach apache even if it
    isn't vunerable, the advantage being smaller logs, fewer processor
    cycles used, and fewer 404s uploaded.

    Since the offender isn't sending too much data to you, I wouldn't worry
    too much about it.

    --
    Ben M.

    ----------------
    What are Software Patents for?
    To protect the small enterprise from bigger companies.

    What do Software Patents do?
    In its current form, they protect only companies with
    big legal departments as they:
    a.) Patent everything no matter how general
    b.) Sue everybody. Even if the patent can be argued
    invalid, small companies can ill-afford the
    typical $500k cost of a law-suit (not to mention
    years of harassment).

    Don't let them take away your right to program
    whatever you like. Make a stand on Software Patents
    before its too late.

    Read about the ongoing battle at http://swpat.ffii.org/
    ----------------
     
    Ben Measures, Jan 26, 2004
    #3
  4. yahoo serious

    Jim Watt Guest

    On Mon, 26 Jan 2004 05:06:59 +0000, Ben Measures
    <> wrote:

    >Not really. If you do find out I'm sure the RIAA would like to know ;)


    well its easy enough to see people are using kaaza

    (apart from their computers being fucked up by spyware
    and virii)
    --
    Jim Watt http://www.gibnet.com
     
    Jim Watt, Jan 26, 2004
    #4
  5. yahoo serious

    keydet Guest

    > Some 'desparate' hack is trying to break into my machine through my
    > webserver thinking I'm running some unpatched version of IIS. Fortunately
    > I'm just playing with Apache. However the 'individual' is fairly persistent
    > (20 attempts over a 10 minute period).



    > Is there a way to identify the
    > culprit or at least warn the ISP that they have an issue. Using the Sam
    > Spade site did not uncover much ..only a reverse dns lookup for IP
    > 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net.


    Looks like you did a pretty good job of identifying the culprit. From
    the hostname, it looks as though this individual is using ComCast out
    of Rockville, MD.


    > My apache error log
    > list of the attempts follows. For most request for these kinds of files I've
    > redirected the request to IP 127.0.0.1 (someone suggested a microsoft site
    > instead :) ) but there seem to be too many variations to handle all the
    > kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a
    > malicious script page instead.).


    Why not simply let it go, or use a router or firewall to block the IP
    range?
     
    keydet, Jan 26, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Weiguang Shi
    Replies:
    1
    Views:
    4,599
  2. Jon Whitear
    Replies:
    2
    Views:
    2,346
    Jon Whitear
    Nov 4, 2003
  3. Dmitry
    Replies:
    0
    Views:
    3,692
    Dmitry
    Apr 1, 2004
  4. Chuck

    Odd Port 135 Probes?

    Chuck, Jan 22, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    550
    NeoSadist
    Jan 22, 2004
  5. Steve H.

    Microsoft probes Windows code leak

    Steve H., Feb 13, 2004, in forum: Computer Security
    Replies:
    4
    Views:
    404
Loading...

Share This Page