[lug] Intrusion Question

dio2002 at indra.com dio2002 at indra.com
Mon Sep 10 14:48:03 MDT 2007 

Seems to be a hot topic lately.

Someone's been trying to hit my apache with:

    400 Bad Request
       /w00tw00t.at.ISC.SANS.DFind:): 4 Time(s)

After searching google on this one, i find all kinds of information about
it being an intrusion attempt.  But nothing ever mentions what KIND of
intrusion it is.  I check the ip addresses in my access_log and they are
all coming from south korea.  So they are obviously looking for something.

I'd like to blacklist ips that come from south korea but because these are
coming from such a wide array of ips, not sure if that's possible.

An attempt like this is futile UNLESS they actually installed that binary
or script on my system.    I don't think they would've made a blind
attempt like this unless they were actually targeting the machine. that
concerns me. but on the surface this looks like someone just trolling for
something it couldn't find.   I've used "find" and can't find the file
(they could've changed the name) or anything that looks suspicious
(recently created / modified in 24 hours).

i haven't seen anything in the logs that concerns me either (so far) but
it's possible they've covered their tracks.  my system appears to be
working fine.  my system hasn't been rebooted (up for thirteen days).

it looks like i'm ok. any other analysis or IDS tips i should double check?

also
----

there are some warnings in the apache logs which looks like apache is
restarting perodicially:

[Mon Sep 10 04:02:03 2007] [notice] SIGHUP received.  Attempting to restart
httpd:
[Mon Sep 10 04:02:03 2007] [notice] Digest: generating secret for digest
authentication ...
[Mon Sep 10 04:02:03 2007] [notice] Digest: done
[Mon Sep 10 04:02:03 2007] [notice] mod_python: Creating 4 session mutexes
based on 256 max processes and 0 max threads.
[Mon Sep 10 04:02:03 2007] [notice] Apache configured -- resuming normal
operations

I know i didn't manually restart it.  It looks like this might be
logrotate?  all the log files seem to go to zero at that point.

thanks



my httpd logs have a number o



It amazes me.  This particular server hasn't been up very long, is not
really live yet and already is being targeted.

More information about the LUG mailing list