RE: [suse-security] HTTP Strange LOG
hi, this is a typical code-red worm attack trying to exploit a buffer oberflow but youu don't have to worry about this. this worm only targets microsoft IIS web servers Cyril -----Message d'origine----- De : cydonia@cbn.net.id [mailto:cydonia@cbn.net.id] Envoyé : jeudi 10 juillet 2003 10:54 À : suse-security@suse.com Objet : [suse-security] HTTP Strange LOG Dear List, I have this strange logs in my APache Web server, 202.159.151.106 - - [10/Jul/2003:14:53:15 +0700] "GET /default.ida?XXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u909 0%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-" Is My WEb server attacked ? If it is, How should i configure my Apache? Best Regards, Kheli -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Am Donnerstag, 10. Juli 2003 10:58 schrieb POULINGUE Cyril FTRD/SVA/LAN:
hi, this is a typical code-red worm attack trying to exploit a buffer oberflow but youu don't have to worry about this. this worm only targets microsoft IIS web servers
... and the hole in IIS that gives this worm its backdoor was fixed when? ages ago? So the fact that this worm is still on the run shows the avertage brain capacity of the default microsoft admin. bye MH
On Thu, 2003-07-10 at 11:06, Mathias Homann wrote:
... and the hole in IIS that gives this worm its backdoor was fixed when? ages ago? So the fact that this worm is still on the run shows the avertage brain capacity of the default microsoft admin.
I think a protection can only let pass established connection through your iptables firewall and drop all ports used by known trojans. The best is to drop all trojanconnections (INPUT-, FORWARD- and OUTPUT-CHAIN). Gruss Ruprecht ----------------------------------------------- Ruprecht Helms IT-Service & Softwareentwicklung Tel./Fax +49[0]7621 16 99 16 Homepage: http://www.rheyn.de email: info@rheyn.de ------------------------------------------------
I think a protection can only let pass established connection through your iptables firewall and drop all ports used by known trojans. The best is to drop all trojanconnections (INPUT-, FORWARD- and OUTPUT-CHAIN).
1) "To only let pass an established connection"? Please explain how you imagine connections getting established as at that stage they are NOT yet established and no trafic will pass. 2) Code red is a worm and it's propagation does not relate to it also being a trojan. 3) There is no such thing as "all known ports" used by trojans. 4) If you need security, you drop or reject every thing except what you require. 5) You must do so with regard to direction. And even that is of limited help as the more advanced trojans use various chat services to actively connect to from the inside out. 6) Many worms and trojans use legitimate ports AND the designated protocol along with it. Then they exploit some weekness in the server (or client) software (often buffer overflows) to make the software behave outside it's specification. Code red in fact uses http over port 80. In fact a mighty security suggestion: block port 80 towards your web-server. Peter
On Thu, 2003-07-10 at 11:50, Peter van den Heuvel wrote:
I think a protection can only let pass established connection through your iptables firewall and drop all ports used by known trojans. The best is to drop all trojanconnections (INPUT-, FORWARD- and OUTPUT-CHAIN).
1) "To only let pass an established connection"? Please explain how you imagine connections getting established as at that stage they are NOT yet established and no trafic will pass.
with iptable you can look into the tcp-traffic using the mangle-option. By letting through only established ipconnections, you can filter out connections like that from scannern or connections that use a not related protocoll that is allowed on that port.
2) Code red is a worm and it's propagation does not relate to it also being a trojan.
Ok the security-risk is not so much. That is only a act of cling.
Code red in fact uses http over port 80. In fact a mighty security suggestion: block port 80 towards your web-server.
Block port 80 for some known adresses and mangle the connections on port 80 toward your webserver. Blocking all toward the webserver can cause that no webpages can be requested from outsite. I think. Regards, Ruprecht ----------------------------------------------- Ruprecht Helms IT-Service & Softwareentwicklung Tel./Fax +49[0]7621 16 99 16 Homepage: http://www.rheyn.de email: info@rheyn.de ------------------------------------------------
with iptable you can look into the tcp-traffic using the mangle-option. By letting through only established ipconnections, you can filter out connections like that from scannern or connections that use a not related protocoll that is allowed on that port. At least read the man pages and the Linux Advanced Routing & Traffic Control HOWTO before you post on the subject. Your statement is quite wrong and confuses many concepts and facts. For one thing, "mangle" is not an option to look into traffic. It is one of the various tables (specifically inteded for packet alteration) of rules that iptables manages.
2) Code red is a worm and it's propagation does not relate to it also being a trojan. Ok the security-risk is not so much. That is only a act of cling. No. The question was "how do I protect my webserver from getting affected by this traffic". That relates to the worm capabilities and has nothing to do with the fact that the thing also happens to be a trojan.
Code red in fact uses http over port 80. In fact a mighty security suggestion: block port 80 towards your web-server. Block port 80 for some known adresses and mangle the connections on port 80 toward your webserver. Blocking all toward the webserver can cause that no webpages can be requested from outsite. I think. Sigh... OK, I forgot the <joke> and </joke> quotes around this statement. Anybody else got confused there?
I'm not going to reply to this nonsense anymore. Peter PS. And please simply post to the list; most posters read it and do not require the carbon copy. Thanks.
So the fact that this worm is still on the run shows the avertage brain capacity of the default microsoft admin.
And so does the question itself. It has been asked and answered numerous times. It is in the archives. It is all over google and any other search engine. Try to cut and paste "default.ida?XXXXX" into the text field, then press the "search" button (only once!) and read the next pages of text that will appear as by magic. Please, there's no reason for this list to be a wizzard-only list. There is no such thing as a stupid question. But there is no excuse for lameness. So if possible, let's not all start to point out the completely obvious and keep the signal to noise ratio as good as we can keep it. Anyway, my honest reply on the original poster: "try google". Peter
Hi Mathias, I think we should keep OS flame wars out of this list. As anybody of us knows, each OS is as good as its admin. There are tons of unpatched IIS and also there are tons of unpatched Linux servers with eg. old wu-ftpd. Sorry, but I'm all fed up with this kind of discussion... Ralf
Am Donnerstag, 10. Juli 2003 10:58 schrieb POULINGUE Cyril FTRD/SVA/LAN:
hi, this is a typical code-red worm attack trying to exploit a buffer oberflow but youu don't have to worry about this. this worm only targets microsoft IIS web servers
... and the hole in IIS that gives this worm its backdoor was fixed when? ages ago? So the fact that this worm is still on the run shows the avertage brain capacity of the default microsoft admin.
bye MH
participants (5)
-
Mathias Homann -
Peter van den Heuvel -
POULINGUE Cyril FTRD/SVA/LAN -
Ralf Koch -
Ruprecht Helms