[lug] possible intrusion

Samartha Deva blug-receive at mtbwr.net
Thu Jul 19 15:16:40 MDT 2001


>
>Deva, do you use a Cisco DSL router?

Yupp!

>If so, can you block its web access
>port?

never been open - only maybe once if support needed to get in.
What sucks is, that the router cannot have the web interface
open to the inside, so it appears, same seems to go for telnet.
It is very convenient to be able to work from the inside (LAN)
while the outside (WAN) is tight.

>Anyway, the linux box itself, and apache, will be immune to this I
>think.

Sure looks like it - when I look at the transfers, it could be
something else. I tried feeding the apache that long string.
Netscape cuts it off and with telnet on port 80, I get error
501 whereas the worms get a 400, so something is different.

Maybe the worm feeds some funky html and gets tons of errors
back, the imbalance in traffic is 10 : 1.


>My checks on the port 80 of several hits I'm getting all indicate
>MS IIS...if the machines being infected are MS, it makes sense that they
>would also be trying to infect more MS machines. Then again, we don't
>know about the machines hitting Deva.

Sure no M$ server here - neither inside and more so outside.

>Deva, try this on the attacking URL's (and yes, it is legal). telnet
>wherever.com 80, which gets you to the web server. Type:
>GET
><hit enter key>

ok:
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0

HTTP/1.1 400 Petición incorrecta
Server: Microsoft-IIS/5.0

many are down or rejecting requests but all others have the same server 
running.
But I am only a small sample - the whole affair must be massive.

If the growth rate is higher than the elimination rate (they are said
to reinfect again) and there is a big enough pool to draw "food" from,
the whole system (internet) could be brought to it's knees.

I think that some are even dialups or company servers inside a LAN just sending
the outgoing connects.

Oh - I did not email to security focus - they have not yet sent me
the mailing list confirmation to reply to and - they have it already well
documented.

Every time I see an NNNN in my log - a - what was it? 99.9999 percent uptime
piece of software showed it's 0.0001 chance of failing, which is truly just
amazingly amazing.

I wonder how much work it is to get a server cleaned up.

Samartha

Samartha






More information about the LUG mailing list