[lug] possible intrusion

D. Stimits stimits at idcomm.com
Thu Jul 19 15:26:56 MDT 2001 

Samartha Deva wrote:
> 
> >
> >Deva, do you use a Cisco DSL router?
> 
> Yupp!
> 
> >If so, can you block its web access
> >port?
> 
> never been open - only maybe once if support needed to get in.
> What sucks is, that the router cannot have the web interface
> open to the inside, so it appears, same seems to go for telnet.
> It is very convenient to be able to work from the inside (LAN)
> while the outside (WAN) is tight.
> 
> >Anyway, the linux box itself, and apache, will be immune to this I
> >think.
> 
> Sure looks like it - when I look at the transfers, it could be
> something else. I tried feeding the apache that long string.
> Netscape cuts it off and with telnet on port 80, I get error
> 501 whereas the worms get a 400, so something is different.
> 
> Maybe the worm feeds some funky html and gets tons of errors
> back, the imbalance in traffic is 10 : 1.
> 
> >My checks on the port 80 of several hits I'm getting all indicate
> >MS IIS...if the machines being infected are MS, it makes sense that they
> >would also be trying to infect more MS machines. Then again, we don't
> >know about the machines hitting Deva.
> 
> Sure no M$ server here - neither inside and more so outside.
> 
> >Deva, try this on the attacking URL's (and yes, it is legal). telnet
> >wherever.com 80, which gets you to the web server. Type:
> >GET
> ><hit enter key>
> 
> ok:
> HTTP/1.1 400 Bad Request
> Server: Microsoft-IIS/5.0
> 
> HTTP/1.1 400 Petición incorrecta
> Server: Microsoft-IIS/5.0
> 
> many are down or rejecting requests but all others have the same server
> running.
> But I am only a small sample - the whole affair must be massive.
> 
> If the growth rate is higher than the elimination rate (they are said
> to reinfect again) and there is a big enough pool to draw "food" from,
> the whole system (internet) could be brought to it's knees.
> 
> I think that some are even dialups or company servers inside a LAN just sending
> the outgoing connects.
> 
> Oh - I did not email to security focus - they have not yet sent me
> the mailing list confirmation to reply to and - they have it already well
> documented.
> 
> Every time I see an NNNN in my log - a - what was it? 99.9999 percent uptime
> piece of software showed it's 0.0001 chance of failing, which is truly just
> amazingly amazing.
> 
> I wonder how much work it is to get a server cleaned up.

No idea about actual effort, but I see people making automated tools
that will point out certain things, in a manner similar to a C
preprocessor. I would bet that the effort is high (on the order of
designing a compiler) to create a specialized tool, followed by a big
payoff for fast initial testing.

D. Stimits, stimits at idcomm.com

> 
> Samartha
> 
> Samartha
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list