[lug] What do you do about hackers (in the current sense of uninvited obnoxious intruders)

D. Stimits stimits at idcomm.com
Fri Apr 12 21:54:25 MDT 2002 

Paul Bille wrote:
> 
> Is there anything that can or shoud be done about folks trying to access
> /etc/passwd?

This is normal for all kinds of authentication. Stopping it prevents
even valid logins. That is why shadow passwords exist. The non-shadowed
versions still save passes in a one-way hash, but nowadays could be
cracked with a good dictionary (assuming old crypt functions; crypt with
sha-1 or md5 might be a *long* session, unless a set of high-probability
words were used for a pass and the cracker tests those first). Do you
have shadow on? If so, don't worry about someone reading it or even
copying it. Writing is the only worry to that.

> 
> How would you interpret httpd/access.log entries like this?  I think it's
> someone abusing my hospitality.  What do you thing?
> 
> [Fri Apr 12 13:29:12 2002] [error] [client 217.82.33.200] Invalid URI in
> request GET /../../../../../../../../../../../etc/passwd HTTP/1.0

Cracker attempt to steal passwd file. Won't help if it is a shadowed
file, except maybe knowing the names of user accounts. What would
concern me is if the web server is set to allow relative gets like this.
You might try a get in this format to a valid html file where access is
supposed to be allowed, and then place a copy of that same html file in
parent directories, trying to successively decide if parents are being
allowed via that scheme; if so, you have a big risk, though I wouldn't
particularly call it broken (just a stupid setup to allow it, way too
much exposure). If they can't do that with valid files using that
format, no problem; if they can use that format but not to invalid
directories, probably also not a problem. If they can do that to any
non-web or non-designated directory, your risk goes up significantly,
though permissions still apply.

> [Fri Apr 12 13:29:12 2002] [error] [client 217.82.33.200] File does not
> exist: /var/www/html/iisadmpwd/

Ahh, the old windows IIS server. Got Linux? Ignore it, just note the
requester has tried some very intentionally and undeniably crack
attacks, you should report them. I see what I *think* is a European
address:
200.33.82.217.in-addr.arpa	name = pD95221C8.dip.t-dialin.net

Via "whois t-dialin.net":
Registrant:
Deutsche Telekom Online Service GmbH (T-DIALIN2-DOM)
   Waldstrasse 3
   Weiterstadt, D-64331
   DE

   Domain Name: T-DIALIN.NET

   Administrative Contact, Technical Contact:
      Kaufmann, Daniel  (DK162-RIPE)  d.kaufmann at T-ONLINE.NET
      Deutsche Telekom Online Service GmbH
      Julius-Reiber-Str.37
      Darmstadt
      Germany
      D-6429
      DE
      +49 61 51 680 537 (FAX) +49 61 51 680 519

Send log copies, along with some note on your time zone settings and IP
address at the time of attack, to the d.kaufmann at t-online.net. Note that
this would have all been useless if the ip had been spoofed, but it is
also a case that if you had identd required you can also guarantee
(within probably better than 100 million to one odds) the ip is not
spoofed. If you require auth port, you should add that fact.

> [Fri Apr 12 13:29:12 2002] [error] [client 217.82.33.200] script not found
> or unable to stat: /var/www/cgi-bin/auktion.pl

Can't say for sure, but I'd bet this is a perl script with some known
weakness.

> 
> Name: pD95221C8.dip.t-dialin.net
> Address: 217.82.33.200
> 
> 217.82.33.200 - - [12/Apr/2002:13:28:10 -0600] "GET / HTTP/1.0" 200 5714
> 217.82.33.200 - - [12/Apr/2002:13:28:10 -0600] "GET
> HTTP://www.microsoft.com/ HTTP/1.0" 200 5714
> 217.82.33.200 - - [12/Apr/2002:13:28:40 -0600] "" 501 -
> 217.82.33.200 - - [12/Apr/2002:13:28:40 -0600] "" 501 -
> 217.82.33.200 - - [12/Apr/2002:13:28:40 -0600] "" 501 -
> 217.82.33.200 - - [12/Apr/2002:13:28:40 -0600] "" 501 -
> 217.82.33.200 - - [12/Apr/2002:13:28:41 -0600] "GET / HTTP/1.0" 200 5714
> 217.82.33.200 - - [12/Apr/2002:13:29:12 -0600] "GET
> /../../../../../../../../../../../etc/passwd HTTP/1.0" 400 375
> 217.82.33.200 - - [12/Apr/2002:13:29:13 -0600] "GET
> /../../../../../../../../../../../etc/passwd HTTP/1.0" 400 375
> 217.82.33.200 - - [12/Apr/2002:13:29:18 -0600] "GET /../../../boot.ini
> HTTP/1.0" 400 349
> 217.82.33.200 - - [12/Apr/2002:13:29:19 -0600] "GET /../../../boot.ini
> HTTP/1.0" 400 349

Sounds like they know about UNIX type systems, but are mainly equipped
to crack windows systems. FYI, I'd summarily block the /24 of the
domain, or even the /16 if you don't need anyone from there getting in.
And I'd bet that the IP address of the attacker is itself a cracked
machine, and the owner would probably like to know they were cracked and
being used for further illegal activity. For the most part, seeing as
how they are concentrating on web server attacks, I doubt they are a
threat (but if they do other attacks and you do not have firewalling,
the other attacks would be a threat).

D. Stimits, stimits at idcomm.com

> 
> Thanks,
> Paul
> http://bille.cudenver.edu/author/
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list