View previous topic :: View next topic |
Author |
Message |
Mikefc626 Just Arrived

Joined: 07 Apr 2005 Posts: 0 Location: here

|
Posted: Thu Apr 07, 2005 7:06 am Post subject: Serious Security Issue? |
|
|
Hey everybody!
Ok, I know this isn't exactly proper to post a question about an apache server runnin on win2k in the unix/linux section, but unless I'm just plain wrong wasn't it built on linux? Also, I didn't see anywhere better to post back on the forum page, so here goes.
I am having some very eyebrow raising activity on my apache web server (windows 2k). I have been following the logs, and there has been alot of stuff going on recently, but none as bad as just a few hours ago. I do not profess to be any kind of security expert, rather I am just now beginning to get into that sort of thing, thus I don't know very much and I haven't gotten far enough into my extra reading to interpret everything before me. Maybe someone here could help. I will provide an overview of the problems below:
POST & CONNECT from an ip in germany, POST referring to his ip, and CONNECT to mx2.mail.yahoo.com (can anyone say mail spam piggyback - yes? )
SEARCH x90\x9\x9\x9......x90\x90 (this particular one is driving me nuts because it shows up ALOT)
numerous ip's from China/Japan/Netherlands that say something to the effect of "POST _vti_bin _vti_aut fp30reg.dll HTTP 1.1" then "GET scripts ..%255c%255c.. winnt system32 cmd.exe? c+dir" 404 323
GET cgi-bin openwebmail openwebmail.pl HTTP 1.0
GET default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (and lots of gobbledy goop after it %ucbd3%, etc.)
more GET scripts, one with root.exe? c+dir
SEARCH x90\x02\xb1\x02\xb1\.....
and now the big finale...
an IP from Canada eh? that is nothing but system32 stuff, _vti_bin, cmd.exe? stuff... thing is there are 65 notations of this kind of crap going on within the span of about 2 minutes
Am I being hacked out the whazzooo or what? If so, or better yet even if not, feel free to whack this b***h around. His IP is 69.156.41.52
Someone please help!!! I am very concerned, and need some serious guidance.
Thanks guys.
|
|
Back to top |
|
 |
Guest
|
Posted: Thu Apr 07, 2005 8:14 am Post subject: |
|
|
Most of those appear to be IIS-related traffic, so you shouldn't worry about them. Its normal noise from certain worms and automated scripts, that try to look for old vulnerabilities.
You however might want to check if those CONNECT attempts have resulted in code 200, that means the attempt has been successful. That means that your Apache server acts also as a proxy and allows third parties to use your machine to hide their origins. (404 means page not found)
Also check the contents of your cgi-bin, and do search on the web to find out if you have any vulnerable cgi-scripts. If this is a default install you probably have a few example scripts that can be removed.
|
|
Back to top |
|
 |
Mikefc626 Just Arrived

Joined: 07 Apr 2005 Posts: 0 Location: here

|
Posted: Thu Apr 07, 2005 8:19 am Post subject: |
|
|
Yes, it is a default install, I guess I'll get cracking on the cgi-bin scripts. What should I know for this (it is my first go with apache)? Also, one thing that does ease my mind is checking the error log, which mostly says blah blah script file they were looking for was not found on the server, so it's not all bad, right? But I may be wrong.
|
|
Back to top |
|
 |
Colonel_Panic Just Arrived

Joined: 13 May 2004 Posts: 2

|
Posted: Thu Apr 07, 2005 3:38 pm Post subject: |
|
|
I see lots of those. I think that default.ida thing is CodeRed, if not some other IIS worm. Buffer overflow with payload it seems. those _vti_whatever directories are found on IIS too. Harmless to apache. Can't remember what the long SEARCH thing is but I've seen it and remember googling for it. Probably some IIS thing too because I can't remember. All in all, common carbage that will fill your logs
The ip you see is most likely a victim too. These worms jump from machine to machine.
|
|
Back to top |
|
 |
RoboGeek SF Mod


Joined: 13 Jun 2003 Posts: 16777166 Location: LeRoy, IL

|
|
Back to top |
|
 |
ElToro Just Arrived

Joined: 21 Jun 2004 Posts: 0

|
Posted: Fri Apr 08, 2005 12:11 am Post subject: |
|
|
The default configuration for Apache web servers is pretty good but you do want to go through the config file line by line and understand what is going on. Be sure to turn off any features you are not using like the cgi-bin directory, the documentation, directory indexing, etc.
You can also use a mod_security to add another layer of defense to your server. It's sort of an application specific firewall that works with Apache. It can block a lot of the unwanted traffic you are seeing. I've only used it on Linux but there are WIN binaries available.
http://www.modsecurity.org/
|
|
Back to top |
|
 |
Mikefc626 Just Arrived

Joined: 07 Apr 2005 Posts: 0 Location: here

|
Posted: Tue Apr 12, 2005 5:39 am Post subject: |
|
|
Hey guys, thanks for the help. I've been so bogged down with school stuff, group projects, and other crap that I haven't taken the time to reply. I do appreciate the help, especially those links to what they may be trying to accomplish.
|
|
Back to top |
|
 |
|