[lug] What do you do about hackers (in the current sense of uninvited obnoxious intruders)

Paul Bille Paul at ebille.cudenver.edu
Sat Apr 13 22:29:04 MDT 2002 

> cmd.exe on windows is very similar to trying to feed a command . . .

Like I said, they're not uncommon.  I didn't get any today but I got it from
three different IPs on Friday and one last Sunday.  Sorry, the line wrap
makes it a little difficult to read:

[Sun Apr  7 14:04:19 2002] [error] [client 63.230.146.34] File does not
exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe
[Fri Apr 12 01:34:36 2002] [error] [client 212.179.238.45] File does not
exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe
[Fri Apr 12 01:53:51 2002] [error] [client 24.138.61.171] File does not
exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe
[Fri Apr 12 13:29:15 2002] [error] [client 217.82.33.200] File does not
exist: /var/www/html/..A?../..A?../cmd1.exe

I think this is part of the Code Red/Nimbda attack.  It's not uncommon.  It
is effective against NT servers but not Apache so it's not a concern here.

Another one I get that's associated with Code Red is:

[Sat Apr 13 13:00:15 2002] [error] [client 194.239.162.167] Client sent
malformed Host header
When I check the access.log the message is:
194.239.162.167 - - [13/Apr/2002:13:00:15 -0600] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 328

Again these are effective against NT servers and are therefore not a concern
here.

I also get a messages in /var/log/messages that I believe are associated
with the bind overflow attack but I haven't been able to confirm this:

Apr 13 21:16:13 liz kernel: eth0: tx interrupt but no status

It's a good thing to keep an eye on the system at all times.  There are
crackers always banging away on the system and it's wise to watch what
they're doing.  I generally run gtop all the time to see if any unusual
application pops up like "pscan" or "port_scan".  I also watch the following
logs:
1 /var/log/secure - Who's connecting to ports on my system?
2 /var/log/messages - Watch for unusual errors like "eth0: tx int . . ." or
root login
3 /var/log/xferlog - Watch for any unusual files transferred to the system
4 /var/log/httpd/error.log - Watch for invalid HTTP requests
5 /var/log/httpd/access.log - Watch for valid HTTP request with malformed
headers.

Paul
http://bille.cudenver.edu/author

More information about the LUG mailing list