RE: [SLE] how to block http access from specific ip's

newer
RE: [SLE] OT: praise to suse 8.1

older
smb.conf problem

Peer Stefan

20 Mar 2003 20 Mar '03

13:02

Hi again :)

...

From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. I help-chatted with a RR rep who apparently was reading from a script. He kept asking me if it was spam <grin>. Didn't know about firewall and httpd logs.

Yes I know these reps.

...

firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=31653 DF PROTO=TCP SPT=1492 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:21 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32087 DF PROTO=TCP SPT=1588 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:25 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32532 DF PROTO=TCP SPT=1674 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) ..... there are 11 similar lines

Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...

...

httpd: 24.208.133.143 - - [20/Mar/2003:06:44:20 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 24.208.133.143 - - [20/Mar/2003:06:44:23 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 24.208.133.143 - - [20/Mar/2003:06:44:27 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:31 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:34 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 24.208.133.143 - - [20/Mar/2003:06:44:38 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe ?/c+dir HTTP/1.0" 404 321

This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at http://www.opennet.ru/tips/sml/41.shtml how to block Nimda-requests with iptables. Or use Apache configuration directives to exclude Nimda-requests from your log (http://paulbeard.no-ip.org/movabletype/archives/000054.html).

...

...
You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.)

iptables -L | grep 24.208.133.143:

DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- anywhere dhcp024-208-133-143.insight.rr.com

Is there a chance that before these DROPs there's something like "ALLOW http ..." ?

...

...
If these don't help, I'd begin to check for rootkits and logging the network traffic between your host and the evil ip-address. But be careful - according to the hostname it's an DHCP-address, so it may be changing.

Will report back, tks

According to the symptoms I don't think of rootkits anymore. I think that http traffic is allowed, no matter what the source address is and your DROPs just come too late in the iptables order. (And I don't think that this user is an evil one who has many computer skills, apart from being a magnet for worms, viruses and trojan horses ;o) regards, Stefan

Show replies by date

Patrick Shanahan

20 Mar 20 Mar

14:00

New subject: [SLE] how to block http access from specific ip's

* Peer Stefan [03-20-03 08:04]:

...

Hi again :) [big snip] This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at http://www.opennet.ru/tips/sml/41.shtml how to block Nimda-requests with iptables. Or use Apache configuration directives to exclude Nimda-requests from your log (http://paulbeard.no-ip.org/movabletype/archives/000054.html).

I will research these locations later today, have pressing matters for the next 4 hrs.

...

...
...
You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.)

iptables -L | grep 24.208.133.143:

DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- anywhere dhcp024-208-133-143.insight.rr.com

Is there a chance that before these DROPs there's something like "ALLOW http ..." ?

No, the three instances quoted above *all* come before *any* references to http or port 80. I do not understand firewall rules well enough. I would think that the *three* 'DROP' rules in the first 50 lines of the report would stop a tank, but ???

...

According to the symptoms I don't think of rootkits anymore. I think that http traffic is allowed, no matter what the source address is and your DROPs just come too late in the iptables order. (And I don't think that this user is an evil one who has many computer skills, apart from being a magnet for worms, viruses and trojan horses ;o)

No, I agree. I do not believe he is *skilled* ??computer wise?? at all. I have had my web-site up since just before New Years and it is only advertised in my sig so it is probably someone who has read one of the mail lists I have responded and stored my address. He first hit me 11 Mar and to date I have logged 1333 access attempts in httpd/access_log. I am also amazed that RoadRunner is not more interested/concerned due to the added bandwidth considerations and imminent danger of multiplication thereof. Of 22,000 lines in httpd/access_log, ~13,500 are *probably* virus access attempts. That is appalling. This traffic approaches or exceeds the weight of spam traffic. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

Togan Muftuoglu

16:43

New subject: [SLE] how to block http access from specific ip's

* Patrick Shanahan; on 20 Mar, 2003 wrote:

...

No, I agree. I do not believe he is *skilled* ??computer wise?? at all. I have had my web-site up since just before New Years and it is only advertised in my sig so it is probably someone who has read one of the mail lists I have responded and stored my address. He first hit me

No that does not have to be

...

11 Mar and to date I have logged 1333 access attempts in httpd/access_log.

Then no one has yet hit you seriosly yet 5281 253K DENY tcp -y---o 0xFF 0x00 This nice gentleman coming from an Asian IP has made of 253 K traffic in less then 3 minutes ( that is when I had to stop him before that my logs were also filled with almost all known vulnerabilities possible on Linux Windows Sun/Cobalt Solaris Aix)

...

Of 22,000 lines in httpd/access_log, ~13,500 are *probably* virus access attempts. That is appalling. This traffic approaches or exceeds the weight of spam traffic.

There is not much you can do either stop offering services to the world or secure your servers chrooting is a very good idea along with DMZ and Intrusin Detection And no these will also 100 % guarantee that you will not have these and you will not be 100 % safe So relax -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

Tom Emerson

18:07

New subject: [SLE] how to block http access from specific ip's

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 March 2003 5:02 am, Peer Stefan wrote:

...

...
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. ... firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= ... SPT=1492 DPT=80

Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...

This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at

One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address -- you may be able to find some contact info and let the guy know directly that they have a problem. [also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...] - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+egNTV/YHUqq2SwsRAuO8AJ9IkEwVcnvio8qYB2QRhr6qcvonCwCfdwpI zecHDwUFGXQFN9mvw7yn6oo= =Delh -----END PGP SIGNATURE-----

Patrick Shanahan

21:16

New subject: [SLE] how to block http access from specific ip's

* Tom Emerson [03-20-03 14:57]:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Thursday 20 March 2003 5:02 am, Peer Stefan wrote:

...
...
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. ... firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= ... SPT=1492 DPT=80

Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...

This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at

One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address -- you may be able to find some contact info and let the guy know directly that they have a problem. [also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...]

Minimochi

21:43

New subject: [SLE] how to block http access from specific ip's

What about using /etc/hosts.deny? You should add "service : address" Patrick Shanahan wrote:* Tom Emerson [03-20-03 14:57]:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Thursday 20 March 2003 5:02 am, Peer Stefan wrote:

...
...
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. ... firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= ... SPT=1492 DPT=80

Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...

This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at

One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address -- you may be able to find some contact info and let the guy know directly that they have a problem. [also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...]

I do not think, although I cannot understand, that RoadRunner is *interested*. I have reported this particular site, 24.208.133.143, twice in the last 3 days, Tuesday and Wednesday. I intend to report it again today and bang on the chat-help although I have *no* faith that anyone on the other end will understand what I am talking about. They keep asking me if it is *spam* . -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com --------------------------------- Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!

Tom Emerson

21:44

New subject: [SLE] how to block http access from specific ip's

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 March 2003 1:16 pm, Patrick Shanahan wrote:

...

* Tom Emerson [03-20-03 14:57]:

...

...
[also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...]

I do not think, although I cannot understand, that RoadRunner is *interested*. ... They keep asking me if it is *spam* <grin>.

So, tell them it is spam (or at the very least that you consider it "abuse" as it is using resources against your wishes, though it is kind of hard to support the claim that web requests are "against your wishes" when you do, in fact, run a web server) I sent a similar item to my ISP's abuse department for an identical problem: another PB customer was sending me those very same "cmd.exe?" requests -- I verified that it was another PB customer via a traceroute that showed the last hop before the "cust-rtr" [customer router, I presume] was a numbered DSL line similar to the one I have. In any case, the cmd.exe requests stopped almost immediately, then two days later they were replaced with "default.ida?XXXXXXXXXXX's forever..." from the same IP address (dunno which is worse, this long entry or a dozen shorter cmd.exe entries...) [you can see what I'm getting hit with and how often at this location: http://osnut.homelinux.net/awstats.osnut.homelinux.net.errors404.html be aware that MOST of these have indeed been coming from the same address] Version 5.5 of awstats "cleans up" that "default.ida?" entry by ignoring the query string, but it is still in development (a quick check of my logs does show you've taken a look before, but I don't think you saw the "errors" page) - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+ejYuV/YHUqq2SwsRAjlbAJoCS2Ywd32aD8C3UTFcenZnVEafqQCfbkrE 5wVgujBVahfGJoqfuPGWdxw= =XEcY -----END PGP SIGNATURE-----

Patrick Shanahan

21:58

New subject: [SLE] how to block http access from specific ip's

* Tom Emerson [03-20-03 16:49]:

...

(a quick check of my logs does show you've taken a look before, but I don't think you saw the "errors" page)

Yes, I am aware of the error logs. My error_log is 5381 lines since 14 Feb. One *nice* thing about the error_log, almost all the entries are probable nimda/code red virus attack attempts. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

Tom Emerson

22:47

New subject: [SLE] how to block http access from specific ip's

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Previously I wrote:

...

One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address

On a whim I decided to try it, then I found out/realized this is a "dhcp" address, meaning what hits you TODAY may come from a different source TOMORROW (and if you block THIS address, somewhere down the line a legitimate user may want to view your site, but "by chance" they happen to have the "blocked" IP address right then...) This might also explain (to a degree) why RR's techs don't want to deal with it: it is/was "transient", so if they looked "right now" it may not be a problem (or worse, you'd be fingering an innocent bystander) OF COURSE this means they would need to correlate your logs with theirs [via timestamps] "but that would require work" ;) Overall your best bet is to contact the abuse department [which you're doing] and if they want to call it spam, call it spam -- it's not YOUR fault they have problems classifying abusive network traffic. Either way, this will eventually get that particular user/server "pulled" until they clean up their server, and "overall for the health of the net", that is a good thing :) - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+ekUDV/YHUqq2SwsRAtiBAJwLIvUAYFBsG0V29qdS8EIhv8X/rgCfQQs3 sU9qXVsVjAh3oz7Df56ftxY= =8bmJ -----END PGP SIGNATURE-----

Patrick Shanahan

23:17

New subject: [SLE] how to block http access from specific ip's

* Tom Emerson [03-20-03 17:51]:

...

Previously I wrote:

...
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address

On a whim I decided to try it, then I found out/realized this is a "dhcp" address, meaning what hits you TODAY may come from a different source TOMORROW (and if you block THIS address, somewhere down the line a legitimate user may want to view your site, but "by chance" they happen to have the "blocked" IP address right then...)

Yes, it is a dhcp address as is mine. But, I have had the same ip for 15 months now. Unless you have problems, replace modem or leave the net for an extended period, it seems that they do not change the ip. I show an infinite lease on mine. ???

...

This might also explain (to a degree) why RR's techs don't want to deal with it: it is/was "transient", so if they looked "right now" it may not be a problem (or worse, you'd be fingering an innocent bystander) OF COURSE this means they would need to correlate your logs with theirs [via timestamps] "but that would require work" ;)

They may have finally got to 24.208.133.143. He was hitting me 15 to 20 times a day and the last time today was at 06:44 -0500 my time.

...

Overall your best bet is to contact the abuse department [which you're doing] and if they want to call it spam, call it spam -- it's not YOUR fault they have problems classifying abusive network traffic. Either way, this will eventually get that particular user/server "pulled" until they clean up their server, and "overall for the health of the net", that is a good thing :)

I believe that I will start reporting them all. Seems most are rr or rogersnet. One that has hit me 13 times today is 24.208.172.161, Videon CableSystems Alberta Inc VDN-MAX-IA (NET-24-108-168-0-1). No address for the ip contact via whois. The incidents have all been the /default.ida?XXXXXXXXXX type. Geektools says it is RR <grin>. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

7716

Age (days ago)

7716

Last active (days ago)

List overview

Download

9 comments

5 participants

participants (5)

Minimochi
Patrick Shanahan
Peer Stefan
Togan Muftuoglu
Tom Emerson