RE: [SLE] how to block http access from specific ip's
Hi Patrick,
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com]
[snip]
My firewall logs and my httpd logs both show that 24.208.133.143 is being accepted and *must* be a virus action. I cannot believe that a person can be *so* unknowing about his computer security. I have
Oh be creative - there are many DAUs out there ;o)
notified security@rr.com twice in the last three days about him. I guess that I will have to start sending them a daily report of each RoadRunner account which attempts violation of my system. Only thing, the total daily reports will be volumous, reflecting negatively upon me
Maybe, but I'd try to contact abuse@rr.com. Check for the e-mail address with "whois 24.208.133.143" ;-)
who is on the wrong end and also a RoadRunner user.
A Windows-User with open VNC-ports, open SMB-ports and some other interesting stuff :o)
What to do, what to do ??
Have a look at "netstat -an|grep 24.208.133.143" and check whether there is still an active connection. Please send the interesting part of your logfile to the list. You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.) If these don't help, I'd begin to check for rootkits and logging the network traffic between your host and the evil ip-address. But be careful - according to the hostname it's an DHCP-address, so it may be changing. regards, Stefan
* Peer Stefan
Hi Patrick,
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com]
[snip]
[more snip]
Maybe, but I'd try to contact abuse@rr.com. Check for the e-mail address with "whois 24.208.133.143" ;-)
abuse@rr.com has been contacted also, but they do not want it. I help-chatted with a RR rep who apparently was reading from a script. He kept asking me if it was spam <grin>. Didn't know about firewall and httpd logs.
who is on the wrong end and also a RoadRunner user.
A Windows-User with open VNC-ports, open SMB-ports and some other interesting stuff :o)
What to do, what to do ??
Have a look at "netstat -an|grep 24.208.133.143" and check whether there is still an active connection.
Not at the moment, but I will check periodically during the day.
Please send the interesting part of your logfile to the list.
firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=31653 DF PROTO=TCP SPT=1492 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:21 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32087 DF PROTO=TCP SPT=1588 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:25 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32532 DF PROTO=TCP SPT=1674 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) .... there are 11 similar lines httpd: 24.208.133.143 - - [20/Mar/2003:06:44:20 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 24.208.133.143 - - [20/Mar/2003:06:44:23 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 24.208.133.143 - - [20/Mar/2003:06:44:27 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:31 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:34 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 24.208.133.143 - - [20/Mar/2003:06:44:38 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 24.208.133.143 - - [20/Mar/2003:06:44:41 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 24.208.133.143 - - [20/Mar/2003:06:44:43 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 24.208.133.143 - - [20/Mar/2003:06:44:46 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 24.208.133.143 - - [20/Mar/2003:06:44:49 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 24.208.133.143 - - [20/Mar/2003:06:44:52 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 24.208.133.143 - - [20/Mar/2003:06:44:55 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 24.208.133.143 - - [20/Mar/2003:06:44:58 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 24.208.133.143 - - [20/Mar/2003:06:45:00 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 24.208.133.143 - - [20/Mar/2003:06:45:01 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 24.208.133.143 - - [20/Mar/2003:06:45:03 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.)
iptables -L | grep 24.208.133.143: DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- anywhere dhcp024-208-133-143.insight.rr.com
If these don't help, I'd begin to check for rootkits and logging the network traffic between your host and the evil ip-address. But be careful - according to the hostname it's an DHCP-address, so it may be changing.
Will report back, tks -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
participants (2)
-
Patrick Shanahan
-
Peer Stefan