[lug] What do you do about hackers (in the current sense of uninvited obnoxious intruders)

rm at fabula.de rm at fabula.de
Sun Apr 14 06:23:03 MDT 2002 

On Fri, Apr 12, 2002 at 09:54:25PM -0600, D. Stimits wrote:
> Paul Bille wrote:
> > 
> > Is there anything that can or shoud be done about folks trying to access
> > /etc/passwd?
> 
> This is normal for all kinds of authentication. Stopping it prevents
> even valid logins. That is why shadow passwords exist. The non-shadowed
> versions still save passes in a one-way hash, but nowadays could be
> cracked with a good dictionary (assuming old crypt functions; crypt with
> sha-1 or md5 might be a *long* session, unless a set of high-probability
> words were used for a pass and the cracker tests those first). Do you
> have shadow on? If so, don't worry about someone reading it or even
> copying it. Writing is the only worry to that.
> 
> > 
> > How would you interpret httpd/access.log entries like this?  I think it's
> > someone abusing my hospitality.  What do you thing?
> > 
> > [Fri Apr 12 13:29:12 2002] [error] [client 217.82.33.200] Invalid URI in
> > request GET /../../../../../../../../../../../etc/passwd HTTP/1.0
> 
> Cracker attempt to steal passwd file. Won't help if it is a shadowed
> file, except maybe knowing the names of user accounts. 

Knowing the possible login names is a big step in the [hc]racking direction.

> What would
> concern me is if the web server is set to allow relative gets like this.
> [...]

relative URLs are fine, the only problem is: your web server shouldn't be able
to access any file outside its document root (or the directory tree(s) you make
accessible via Alias or ScriptAlias commands ).

 
> > [Fri Apr 12 13:29:12 2002] [error] [client 217.82.33.200] File does not
> > exist: /var/www/html/iisadmpwd/
> 
> Ahh, the old windows IIS server. Got Linux? Ignore it, just note the
> requester has tried some very intentionally and undeniably crack
> attacks, you should report them. I see what I *think* is a European
> address:
> 200.33.82.217.in-addr.arpa	name = pD95221C8.dip.t-dialin.net
> 
> Via "whois t-dialin.net":
> Registrant:
> Deutsche Telekom Online Service GmbH (T-DIALIN2-DOM)
> [...]
> 
> Send log copies, along with some note on your time zone settings and IP
> address at the time of attack, to the d.kaufmann at t-online.net. Note that
> this would have all been useless if the ip had been spoofed, but it is
> also a case that if you had identd required you can also guarantee
> (within probably better than 100 million to one odds) the ip is not
> spoofed. If you require auth port, you should add that fact.

:-)
 
Save your time for something more fun! t-online is germanys largest provider
(former state telecom a.k. "Deutsche Bundespost" ) , the IP address you see
is out of a pool for  dial-in access points (either ISDN or DSL-ISDN). Unless
your server time is pretty exact chances are high that the connection logs will
point to another (harmless) user. In my experience t-online couldn't care less
about those attacks (heck, most of their workers have no idea how their own
hardware works -- as you can probably tell, i'm a happy customer ....).

   
> > [Fri Apr 12 13:29:12 2002] [error] [client 217.82.33.200] script not found
> > or unable to stat: /var/www/cgi-bin/auktion.pl
> 
> Can't say for sure, but I'd bet this is a perl script with some known
> weakness.
> 
> > 
> > Name: pD95221C8.dip.t-dialin.net
> > Address: 217.82.33.200
> > 
> > 217.82.33.200 - - [12/Apr/2002:13:28:10 -0600] "GET / HTTP/1.0" 200 5714
> > 217.82.33.200 - - [12/Apr/2002:13:28:10 -0600] "GET
> > HTTP://www.microsoft.com/ HTTP/1.0" 200 5714
> > 217.82.33.200 - - [12/Apr/2002:13:28:40 -0600] "" 501 -
> > 217.82.33.200 - - [12/Apr/2002:13:28:40 -0600] "" 501 -
> > 217.82.33.200 - - [12/Apr/2002:13:28:40 -0600] "" 501 -
> > 217.82.33.200 - - [12/Apr/2002:13:28:40 -0600] "" 501 -
> > 217.82.33.200 - - [12/Apr/2002:13:28:41 -0600] "GET / HTTP/1.0" 200 5714
> > 217.82.33.200 - - [12/Apr/2002:13:29:12 -0600] "GET
> > /../../../../../../../../../../../etc/passwd HTTP/1.0" 400 375
> > 217.82.33.200 - - [12/Apr/2002:13:29:13 -0600] "GET
> > /../../../../../../../../../../../etc/passwd HTTP/1.0" 400 375
> > 217.82.33.200 - - [12/Apr/2002:13:29:18 -0600] "GET /../../../boot.ini
> > HTTP/1.0" 400 349
> > 217.82.33.200 - - [12/Apr/2002:13:29:19 -0600] "GET /../../../boot.ini
> > HTTP/1.0" 400 349
> 
> Sounds like they know about UNIX type systems, but are mainly equipped
> to crack windows systems. FYI, I'd summarily block the /24 of the
> domain, or even the /16 if you don't need anyone from there getting in.
> And I'd bet that the IP address of the attacker is itself a cracked
> machine, and the owner would probably like to know they were cracked and
> being used for further illegal activity. For the most part, seeing as
> how they are concentrating on web server attacks, I doubt they are a
> threat (but if they do other attacks and you do not have firewalling,
> the other attacks would be a threat).

Standard webserver toolkit traces (test for document root, web-proxying etc.).
Keep your server access restricted to document root and everything is fine.
As i said, it's rather unlikely that you'll be able to trace back the attacking
box.  


 Ralf Mattes

More information about the LUG mailing list