Threat of running a web server?

Discussion in 'Computer Security' started by Noyb, Jan 19, 2004.

  1. Noyb

    Noyb Guest

    Does leaving port 80 open for serving web pages leave me vulnerable? A few
    hours after telling BlackICE to allow port 80 traffic in I got an alarm with
    this event: HTTP_Code_Red_II

    Norton alerted me to the virus soon after and deleted it. Here's there
    write-up on it if anyone's interested:
    http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html

    I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
    behind a Linksys router that is forwarding port 80 to my machine. Anyone
    know how this is possible that someone gave me a virus over my apache web
    server? Do I have a security hole or is this threat something I have to live
    with if I'm going to have a web server? Thanks for any help or suggestions.

    Steve.
    Noyb, Jan 19, 2004
    #1
    1. Advertising

  2. Noyb

    Conor Turton Guest

    In article <X8FOb.6922$>,
    says...
    > Does leaving port 80 open for serving web pages leave me vulnerable?


    Yep.


    --
    Conor

    "The vast majority of Iraqis want to live in a peaceful, free world.
    And we will find these people and we will bring them to justice." --
    George Bush
    Conor Turton, Jan 19, 2004
    #2
    1. Advertising

  3. In article <X8FOb.6922$>,
    says...
    > Does leaving port 80 open for serving web pages leave me vulnerable? A few
    > hours after telling BlackICE to allow port 80 traffic in I got an alarm with
    > this event: HTTP_Code_Red_II
    >
    > Norton alerted me to the virus soon after and deleted it. Here's there
    > write-up on it if anyone's interested:
    > http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html
    >
    > I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
    > behind a Linksys router that is forwarding port 80 to my machine. Anyone
    > know how this is possible that someone gave me a virus over my apache web
    > server? Do I have a security hole or is this threat something I have to live
    > with if I'm going to have a web server? Thanks for any help or suggestions.
    >
    > Steve.
    >
    >
    >
    >



    allowing _any_ daemon (server for you microsoft weenies) to run on _any_
    port leaves you _vulnerable_. "how vulnerable" is dependant upon the
    daemon/server. _all_ programs have the _potential_ to be exploited. if
    you don't know what you're doing, don't run a server/daemon, even if
    you're running "black ice", nothing more than a IDS anyway.... even a
    personal firewall.... if you're explicitly telling the firewall/IDS to
    ignore port 80 traffic, you're leaving that particular service "out
    there". if you don't know what you're doing, you don't keep up on
    server/daemon patching and you're not running a proper IDS and actually
    watching the friggin logs, you'll get hacked... it's only a matter of
    time (in some cases, a 0day exploit).



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 19, 2004
    #3
  4. Noyb

    kurt wismer Guest

    Colonel Flagg wrote:
    [snip]
    > allowing _any_ daemon (server for you microsoft weenies) to run on _any_


    http://en.wikipedia.org/wiki/Daemon

    while i'm sure there are plenty of reasons to make fun of microsoft
    weenies, it helps to get your facts straight first... a daemon's
    windows counterpart is the service not the server... a server is a
    server regardless of the platform... it's an architectural concept (as
    in client/server), not and operating system specific one...

    agree with the rest of the post though, more or less... accepting
    unprompted traffic (opening up a port for a server) means a greater
    risk of exposure to malicious code... if you don't know how to mitigate
    the risk you should consider less risky enterprises...

    --
    "hungry people don't stay hungry for long
    they get hope from fire and smoke as the weak grow strong
    hungry people don't stay hungry for long
    they get hope from fire and smoke as they reach for the dawn"
    kurt wismer, Jan 19, 2004
    #4
  5. Noyb

    Duane Arnold Guest

    "Noyb" <> wrote in
    news:X8FOb.6922$:

    > Does leaving port 80 open for serving web pages leave me vulnerable? A
    > few hours after telling BlackICE to allow port 80 traffic in I got an
    > alarm with this event: HTTP_Code_Red_II


    If you have set up Blackice correctly which is ACCEPT all IP(s) on PORT 80,
    enabled *Auto Blocking*, which turns on the IDS to tell the BI FW to block
    stuff coming down Port 80 if detected such as HTTP_Code_Red_II, the machine
    should be protected from that aspect. If you got the alert, then BI should
    have blocked the attack.

    I got plenty of attacks using BI on my IIS Webserver machine and nothing
    came through.

    >
    > Norton alerted me to the virus soon after and deleted it. Here's there
    > write-up on it if anyone's interested:
    > http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.ht
    > ml


    And how can the Code Red attack an Apache Webserver, since the attack only
    affects IIS 4.0 or 5.0, according to the link above that have not been
    patched?

    >
    > I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
    > behind a Linksys router that is forwarding port 80 to my machine.
    > Anyone know how this is possible that someone gave me a virus over my
    > apache web server?


    If you're sitting out there without the Webserver and the XP O/S locked
    down/harden and running with an Admin Account, then I don't see why you
    cannot be attacked. All I can tell you is that Code Red won't come down
    port 80 past BI, if BI is configured porpely.

    > Do I have a security hole or is this threat
    > something I have to live with if I'm going to have a web server?
    > Thanks for any help or suggestions.
    >


    Too many people with a home network can hardly protect a machine period
    for everyday home usage on the Internet let alone put up a Webserver. And
    yet they try to do it.

    I suggest you do your homework before proceeding further. And I would start
    with the XP Pro Resoruce Kit book.

    The buck stops at the O/S, including the router, FW, and AV.

    Duane :)
    Duane Arnold, Jan 19, 2004
    #5
  6. Noyb

    Mike Guest

    "Noyb" <> wrote in message
    news:X8FOb.6922$...
    > Does leaving port 80 open for serving web pages leave me vulnerable? A few
    > hours after telling BlackICE to allow port 80 traffic in I got an alarm

    with
    > this event: HTTP_Code_Red_II


    Oh yus. Make sure you are fully patched or run Apache on a stripped down
    Linux Machine.
    Mike, Jan 19, 2004
    #6
  7. In article <zMJOb.4950$>,
    says...

    > while i'm sure there are plenty of reasons to make fun of microsoft
    > weenies, it helps to get your facts straight first... a daemon's
    > windows counterpart is the service not the server... a server is a
    > server regardless of the platform... it's an architectural concept (as
    > in client/server), not and operating system specific one...
    >


    to a n00b, what's the difference? if you're running a "service", a
    "server" or a "daemon", you're providing "something" to be given out to
    someone. a "server" is a machine which provides either a "service" or a
    "daemon". there, fixed that... can't fix your ability to prove your
    "weenie-ness" however.

    > agree with the rest of the post though





    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 19, 2004
    #7
  8. On Mon, 19 Jan 2004 07:43:05 -0500, Colonel Flagg spoketh

    >
    >to a n00b, what's the difference? if you're running a "service", a
    >"server" or a "daemon", you're providing "something" to be given out to
    >someone. a "server" is a machine which provides either a "service" or a
    >"daemon". there, fixed that... can't fix your ability to prove your
    >"weenie-ness" however.
    >


    Why do you *always* have to make everything a pissing contest between MS
    and Linux? Can't you just leave it alone?

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
    Lars M. Hansen, Jan 19, 2004
    #8
  9. Noyb

    Duane Arnold Guest

    Lars M. Hansen <> wrote in
    news::

    > On Mon, 19 Jan 2004 07:43:05 -0500, Colonel Flagg spoketh
    >
    >>
    >>to a n00b, what's the difference? if you're running a "service", a
    >>"server" or a "daemon", you're providing "something" to be given out to
    >>someone. a "server" is a machine which provides either a "service" or a
    >>"daemon". there, fixed that... can't fix your ability to prove your
    >>"weenie-ness" however.
    >>

    >
    > Why do you *always* have to make everything a pissing contest between MS
    > and Linux? Can't you just leave it alone?
    >
    > Lars M. Hansen
    > http://www.hansenonline.net
    > (replace 'badnews' with 'news' in e-mail address)
    >


    LOL <g>

    Duane :)
    Duane Arnold, Jan 19, 2004
    #9
  10. Noyb

    Geoff Lane Guest

    On Sun, 18 Jan 2004 23:20:14 -0500, Colonel Flagg
    <> wrote:

    >> Does leaving port 80 open for serving web pages leave me vulnerable? A few
    >> hours after telling BlackICE to allow port 80 traffic in I got an alarm with
    >> this event: HTTP_Code_Red_II


    >allowing _any_ daemon (server for you microsoft weenies) to run on _any_
    >port leaves you _vulnerable_. "how vulnerable" is dependant upon the
    >daemon/server. _all_ programs have the _potential_ to be exploited.


    I don't run a daemon/server/service thingumybob on my machine but may
    do in the future so am interested in this thread.

    I appreciate that when running a server there are different levels of
    service but if your service is a read only does that not make one
    reasonably safe.

    Geoff Lane
    Welwyn Hatfield Computer Club - Hertfordshire, UK
    www.whcc.co.uk - Online facilities for non locals
    Geoff Lane, Jan 19, 2004
    #10
  11. Noyb

    Conor Guest

    In article <>,
    says...

    > I appreciate that when running a server there are different levels of
    > service but if your service is a read only does that not make one
    > reasonably safe.
    >

    Nope. There are plenty of exploits not requiring write access that use
    other tricks such as buffer overflows etc.


    --
    Conor

    "The vast majority of Iraqis want to live in a peaceful, free world.
    And we will find these people and we will bring them to justice."
    - George Bush
    Conor, Jan 19, 2004
    #11
  12. Noyb

    Noyb Guest


    > allowing _any_ daemon (server for you microsoft weenies) to run on _any_
    > port leaves you _vulnerable_. "how vulnerable" is dependant upon the
    > daemon/server. _all_ programs have the _potential_ to be exploited. if
    > you don't know what you're doing, don't run a server/daemon, even if
    > you're running "black ice", nothing more than a IDS anyway.... even a
    > personal firewall.... if you're explicitly telling the firewall/IDS to
    > ignore port 80 traffic, you're leaving that particular service "out
    > there". if you don't know what you're doing, you don't keep up on
    > server/daemon patching and you're not running a proper IDS and actually
    > watching the friggin logs, you'll get hacked... it's only a matter of
    > time (in some cases, a 0day exploit).
    >
    >
    >
    > --
    > Colonel Flagg
    > http://www.internetwarzone.org/
    >
    > Privacy at a click:
    > http://www.cotse.net
    >
    > Q: How many Bill Gates does it take to change a lightbulb?
    > A: None, he just defines Darkness? as the new industry standard..."
    >
    > "...I see stupid people."


    "BlackICE protects using the same sophisticated technology that secures
    corporate networks around the world. This unique combination of firewall,
    fast, unobtrusive intrusion protection and straightforward interface
    protects the privacy of any home or office server."

    Sounds like a firewall, and it's always seemed to protect me. If you'd like
    to suggest some other solutions and not just "microsoft weenie" cut-downs
    I'd like to hear them.
    Noyb, Jan 19, 2004
    #12
  13. Noyb

    keydet Guest

    > Does leaving port 80 open for serving web pages leave me vulnerable?

    Depends on what you've got running on that port. The basic tenets of
    security include the Principle of Least Privilege. As it applies to
    your question, this means run only those services that you must, and
    secure as much as possible those that you do run.

    For example, you can run a minimal web server using netcat:

    c:\>nc -vv -L -d -p 80 < default.html

    Whenever someone connects to your "server", the text in default.html
    will be sent back to them.

    If you're running IIS, you want to make sure that you patch it, set
    ACLs, and remove any unnecessary script mappings.

    However, configuration control and management is NOT unique to
    Microsoft products...even servers like Apache need someone to monitor
    them.

    > I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
    > behind a Linksys router that is forwarding port 80 to my machine.


    Well, a couple of quick seconds of Googling, or just going to the
    Symantec site, will show you that you're not vulnerable to CR.

    > Anyone
    > know how this is possible that someone gave me a virus over my apache web
    > server? Do I have a security hole or is this threat something I have to live
    > with if I'm going to have a web server?


    Yes, it is...if all you're going to do is run it. However, if you're
    going to "manage" and "administer" it, that's a different story
    entirely.
    keydet, Jan 19, 2004
    #13
  14. Noyb

    Duane Arnold Guest

    "Noyb" <> wrote in
    news:AESOb.2068$:

    >
    >> allowing _any_ daemon (server for you microsoft weenies) to run on
    >> _any_ port leaves you _vulnerable_. "how vulnerable" is dependant
    >> upon the daemon/server. _all_ programs have the _potential_ to be
    >> exploited. if you don't know what you're doing, don't run a
    >> server/daemon, even if you're running "black ice", nothing more than
    >> a IDS anyway.... even a personal firewall.... if you're explicitly
    >> telling the firewall/IDS to ignore port 80 traffic, you're leaving
    >> that particular service "out there". if you don't know what you're
    >> doing, you don't keep up on server/daemon patching and you're not
    >> running a proper IDS and actually watching the friggin logs, you'll
    >> get hacked... it's only a matter of time (in some cases, a 0day
    >> exploit).
    >>
    >>
    >>
    >> --
    >> Colonel Flagg
    >> http://www.internetwarzone.org/
    >>
    >> Privacy at a click:
    >> http://www.cotse.net
    >>
    >> Q: How many Bill Gates does it take to change a lightbulb?
    >> A: None, he just defines Darkness? as the new industry standard..."
    >>
    >> "...I see stupid people."

    >
    > "BlackICE protects using the same sophisticated technology that
    > secures corporate networks around the world. This unique combination
    > of firewall, fast, unobtrusive intrusion protection and
    > straightforward interface protects the privacy of any home or office
    > server."


    This is true. But BlackIce cannot protect on outbound connections. It
    does protect on an unsolicited outbound connection from the machine and
    will block it. And BI will block an application from outbound connections
    by exe, dll, ocx or any program file type you place into the Checksum.fle
    for monitoring. And BI has good logging of these events if you're using
    VisualIce (free use Google) and BI logging is enabled.

    But BlackIce cannot stop outbound connections to IP(s), port(s), protocol
    (s), DNS(s) etc and that's where IPsec comes into play on the Win2k, XP
    and Win 2K3 O/S(s) that can do that.

    >
    > Sounds like a firewall, and it's always seemed to protect me. If you'd
    > like to suggest some other solutions and not just "microsoft weenie"
    > cut-downs I'd like to hear them.


    BlackIce does have a FW component that I have used from day one I started
    using the product. And BI as stopped a couple of attacks that came right
    through that NAT router, when no ports were being forwaded to a machine.

    I too get tired of watching people bitch and cry about the MS NT based
    O/S which can be configured to be secure or BlackIce as well which can be
    used effectively if configured properly.

    Duane :)
    Duane Arnold, Jan 19, 2004
    #14
  15. Noyb

    Noyb Guest

    > This is true. But BlackIce cannot protect on outbound connections. It
    > does protect on an unsolicited outbound connection from the machine and
    > will block it. And BI will block an application from outbound connections
    > by exe, dll, ocx or any program file type you place into the Checksum.fle
    > for monitoring. And BI has good logging of these events if you're using
    > VisualIce (free use Google) and BI logging is enabled.
    >
    > But BlackIce cannot stop outbound connections to IP(s), port(s), protocol
    > (s), DNS(s) etc and that's where IPsec comes into play on the Win2k, XP
    > and Win 2K3 O/S(s) that can do that.
    >
    > >
    > > Sounds like a firewall, and it's always seemed to protect me. If you'd
    > > like to suggest some other solutions and not just "microsoft weenie"
    > > cut-downs I'd like to hear them.

    >
    > BlackIce does have a FW component that I have used from day one I started
    > using the product. And BI as stopped a couple of attacks that came right
    > through that NAT router, when no ports were being forwaded to a machine.
    >
    > I too get tired of watching people bitch and cry about the MS NT based
    > O/S which can be configured to be secure or BlackIce as well which can be
    > used effectively if configured properly.
    >
    > Duane :)


    Thanks Duane! Once again you've been very helpful to less experienced users
    like myself.
    Steve.
    Noyb, Jan 19, 2004
    #15
  16. Noyb

    Noyb Guest

    "Conor" <> wrote in message
    news:...
    > In article <>,
    > says...
    >
    > > I appreciate that when running a server there are different levels of
    > > service but if your service is a read only does that not make one
    > > reasonably safe.
    > >

    > Nope. There are plenty of exploits not requiring write access that use
    > other tricks such as buffer overflows etc.
    >


    Thanks Conor, actually the event just before the HTTP_Code_Red was
    HTTP_repeated_character, so it sounds like what you're suggesting.
    Noyb, Jan 19, 2004
    #16
  17. Noyb

    David Norris Guest

    "Noyb" <> wrote in message
    news:X8FOb.6922$...
    > Does leaving port 80 open for serving web pages leave me vulnerable? A few
    > hours after telling BlackICE to allow port 80 traffic in I got an alarm

    with
    > this event: HTTP_Code_Red_II
    >
    > Norton alerted me to the virus soon after and deleted it. Here's there
    > write-up on it if anyone's interested:
    > http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html
    >
    > I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
    > behind a Linksys router that is forwarding port 80 to my machine. Anyone
    > know how this is possible that someone gave me a virus over my apache web
    > server? Do I have a security hole or is this threat something I have to

    live
    > with if I'm going to have a web server? Thanks for any help or

    suggestions.
    >
    > Steve.
    >
    >
    > Apache has a reasonable security record - it's what I use myself. The

    majority of intrusions via webservers occur via scripts (CGI and so on). If
    you are careful about use of scripts, your risk is much lessened. DN
    David Norris, Jan 19, 2004
    #17
  18. In article <>,
    says...
    > On Mon, 19 Jan 2004 07:43:05 -0500, Colonel Flagg spoketh
    >
    > >
    > >to a n00b, what's the difference? if you're running a "service", a
    > >"server" or a "daemon", you're providing "something" to be given out to
    > >someone. a "server" is a machine which provides either a "service" or a
    > >"daemon". there, fixed that... can't fix your ability to prove your
    > >"weenie-ness" however.
    > >

    >
    > Why do you *always* have to make everything a pissing contest between MS
    > and Linux? Can't you just leave it alone?
    >
    > Lars M. Hansen
    > http://www.hansenonline.net
    > (replace 'badnews' with 'news' in e-mail address)
    >



    I didn't. all I said was something to the effect of "microsoft weenies",
    someone else took that to _mean_ something.... all I meant was
    "microsoft weenies"... read into it and reply to it, anyway you want
    to... I don't give a ****... as a matter of fact... why the hell am I
    even responding to you? because I don't give a ****..


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 19, 2004
    #18
  19. In article <AESOb.2068$>,
    says...

    > "BlackICE protects using the same sophisticated technology that secures
    > corporate networks around the world. This unique combination of firewall,
    > fast, unobtrusive intrusion protection and straightforward interface
    > protects the privacy of any home or office server."
    >
    > Sounds like a firewall, and it's always seemed to protect me. If you'd like
    > to suggest some other solutions and not just "microsoft weenie" cut-downs
    > I'd like to hear them.
    >



    when I am using this piece of shit junk machine, I like tiny personal
    firewall... otherwise, I use a real ipf/ipnat/ipfw firewall on a freebsd
    box.

    see there, nothing at all said about microsoft.

    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 19, 2004
    #19
  20. On Mon, 19 Jan 2004 18:14:20 -0500, Colonel Flagg spoketh

    >
    >I didn't. all I said was something to the effect of "microsoft weenies",
    >someone else took that to _mean_ something.... all I meant was
    >"microsoft weenies"... read into it and reply to it, anyway you want
    >to... I don't give a ****... as a matter of fact... why the hell am I
    >even responding to you? because I don't give a ****..


    whatever ... buh-bye.


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
    Lars M. Hansen, Jan 20, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PDannyD
    Replies:
    0
    Views:
    403
    PDannyD
    Jan 2, 2006
  2. =?Utf-8?B?Q2xheXRvbg==?=

    Running RIS on a Web Server?

    =?Utf-8?B?Q2xheXRvbg==?=, Apr 1, 2004, in forum: Microsoft Certification
    Replies:
    1
    Views:
    463
    Brendon Rogers
    Apr 1, 2004
  3. julien
    Replies:
    0
    Views:
    429
    julien
    Oct 15, 2005
  4. =?Utf-8?B?RG9u?=

    Running Terminal Server 2003 farm on Virtual Server 2005R2

    =?Utf-8?B?RG9u?=, Aug 3, 2007, in forum: Windows 64bit
    Replies:
    2
    Views:
    860
    =?Utf-8?B?VG9ueSBNUw==?=
    Sep 11, 2007
  5. Paul

    Re: Running own web server?

    Paul, Mar 11, 2010, in forum: Computer Information
    Replies:
    1
    Views:
    553
Loading...

Share This Page