RE: [SLE] how to block http access from specific ip's
Hi again :)
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. I help-chatted with a RR rep who apparently was reading from a script. He kept asking me if it was spam <grin>. Didn't know about firewall and httpd logs.
Yes I know these reps.
firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=31653 DF PROTO=TCP SPT=1492 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:21 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32087 DF PROTO=TCP SPT=1588 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:25 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32532 DF PROTO=TCP SPT=1674 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) ..... there are 11 similar lines
Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...
httpd: 24.208.133.143 - - [20/Mar/2003:06:44:20 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 24.208.133.143 - - [20/Mar/2003:06:44:23 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 24.208.133.143 - - [20/Mar/2003:06:44:27 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:31 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:34 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 24.208.133.143 - - [20/Mar/2003:06:44:38 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe ?/c+dir HTTP/1.0" 404 321
This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at http://www.opennet.ru/tips/sml/41.shtml how to block Nimda-requests with iptables. Or use Apache configuration directives to exclude Nimda-requests from your log (http://paulbeard.no-ip.org/movabletype/archives/000054.html).
You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.)
iptables -L | grep 24.208.133.143:
DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- anywhere dhcp024-208-133-143.insight.rr.com
Is there a chance that before these DROPs there's something like "ALLOW http ..." ?
If these don't help, I'd begin to check for rootkits and logging the network traffic between your host and the evil ip-address. But be careful - according to the hostname it's an DHCP-address, so it may be changing.
Will report back, tks
According to the symptoms I don't think of rootkits anymore. I think that http traffic is allowed, no matter what the source address is and your DROPs just come too late in the iptables order. (And I don't think that this user is an evil one who has many computer skills, apart from being a magnet for worms, viruses and trojan horses ;o) regards, Stefan
* Peer Stefan
Hi again :) [big snip] This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at http://www.opennet.ru/tips/sml/41.shtml how to block Nimda-requests with iptables. Or use Apache configuration directives to exclude Nimda-requests from your log (http://paulbeard.no-ip.org/movabletype/archives/000054.html).
I will research these locations later today, have pressing matters for the next 4 hrs.
You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.)
iptables -L | grep 24.208.133.143:
DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- anywhere dhcp024-208-133-143.insight.rr.com
Is there a chance that before these DROPs there's something like "ALLOW http ..." ?
No, the three instances quoted above *all* come before *any* references to http or port 80. I do not understand firewall rules well enough. I would think that the *three* 'DROP' rules in the first 50 lines of the report would stop a tank, but ???
According to the symptoms I don't think of rootkits anymore. I think that http traffic is allowed, no matter what the source address is and your DROPs just come too late in the iptables order. (And I don't think that this user is an evil one who has many computer skills, apart from being a magnet for worms, viruses and trojan horses ;o)
No, I agree. I do not believe he is *skilled* ??computer wise?? at all. I have had my web-site up since just before New Years and it is only advertised in my sig so it is probably someone who has read one of the mail lists I have responded and stored my address. He first hit me 11 Mar and to date I have logged 1333 access attempts in httpd/access_log. I am also amazed that RoadRunner is not more interested/concerned due to the added bandwidth considerations and imminent danger of multiplication thereof. Of 22,000 lines in httpd/access_log, ~13,500 are *probably* virus access attempts. That is appalling. This traffic approaches or exceeds the weight of spam traffic. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
* Patrick Shanahan;
No, I agree. I do not believe he is *skilled* ??computer wise?? at all. I have had my web-site up since just before New Years and it is only advertised in my sig so it is probably someone who has read one of the mail lists I have responded and stored my address. He first hit me
No that does not have to be
11 Mar and to date I have logged 1333 access attempts in httpd/access_log.
Then no one has yet hit you seriosly yet 5281 253K DENY tcp -y---o 0xFF 0x00 This nice gentleman coming from an Asian IP has made of 253 K traffic in less then 3 minutes ( that is when I had to stop him before that my logs were also filled with almost all known vulnerabilities possible on Linux Windows Sun/Cobalt Solaris Aix)
Of 22,000 lines in httpd/access_log, ~13,500 are *probably* virus access attempts. That is appalling. This traffic approaches or exceeds the weight of spam traffic.
There is not much you can do either stop offering services to the world or secure your servers chrooting is a very good idea along with DMZ and Intrusin Detection And no these will also 100 % guarantee that you will not have these and you will not be 100 % safe So relax -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 March 2003 5:02 am, Peer Stefan wrote:
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. ... firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= ... SPT=1492 DPT=80
Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...
This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address -- you may be able to find some contact info and let the guy know directly that they have a problem. [also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...] - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+egNTV/YHUqq2SwsRAuO8AJ9IkEwVcnvio8qYB2QRhr6qcvonCwCfdwpI zecHDwUFGXQFN9mvw7yn6oo= =Delh -----END PGP SIGNATURE-----
* Tom Emerson
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 20 March 2003 5:02 am, Peer Stefan wrote:
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. ... firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= ... SPT=1492 DPT=80
Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...
This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address -- you may be able to find some contact info and let the guy know directly that they have a problem. [also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...]
I do not think, although I cannot understand, that RoadRunner is *interested*. I have reported this particular site, 24.208.133.143, twice in the last 3 days, Tuesday and Wednesday. I intend to report it again today and bang on the chat-help although I have *no* faith that anyone on the other end will understand what I am talking about. They keep asking me if it is *spam* <grin>. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
What about using /etc/hosts.deny? You should add "service : address"
Patrick Shanahan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 20 March 2003 5:02 am, Peer Stefan wrote:
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. ... firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= ... SPT=1492 DPT=80
Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...
This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address -- you may be able to find some contact info and let the guy know directly that they have a problem. [also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...]
I do not think, although I cannot understand, that RoadRunner is *interested*. I have reported this particular site, 24.208.133.143, twice in the last 3 days, Tuesday and Wednesday. I intend to report it again today and bang on the chat-help although I have *no* faith that anyone on the other end will understand what I am talking about. They keep asking me if it is *spam* . -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com --------------------------------- Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 March 2003 1:16 pm, Patrick Shanahan wrote:
* Tom Emerson
[03-20-03 14:57]:
[also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...]
I do not think, although I cannot understand, that RoadRunner is *interested*. ... They keep asking me if it is *spam* <grin>.
So, tell them it is spam (or at the very least that you consider it "abuse" as it is using resources against your wishes, though it is kind of hard to support the claim that web requests are "against your wishes" when you do, in fact, run a web server) I sent a similar item to my ISP's abuse department for an identical problem: another PB customer was sending me those very same "cmd.exe?" requests -- I verified that it was another PB customer via a traceroute that showed the last hop before the "cust-rtr" [customer router, I presume] was a numbered DSL line similar to the one I have. In any case, the cmd.exe requests stopped almost immediately, then two days later they were replaced with "default.ida?XXXXXXXXXXX's forever..." from the same IP address (dunno which is worse, this long entry or a dozen shorter cmd.exe entries...) [you can see what I'm getting hit with and how often at this location: http://osnut.homelinux.net/awstats.osnut.homelinux.net.errors404.html be aware that MOST of these have indeed been coming from the same address] Version 5.5 of awstats "cleans up" that "default.ida?" entry by ignoring the query string, but it is still in development (a quick check of my logs does show you've taken a look before, but I don't think you saw the "errors" page) - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+ejYuV/YHUqq2SwsRAjlbAJoCS2Ywd32aD8C3UTFcenZnVEafqQCfbkrE 5wVgujBVahfGJoqfuPGWdxw= =XEcY -----END PGP SIGNATURE-----
* Tom Emerson
(a quick check of my logs does show you've taken a look before, but I don't think you saw the "errors" page)
Yes, I am aware of the error logs. My error_log is 5381 lines since 14 Feb. One *nice* thing about the error_log, almost all the entries are probable nimda/code red virus attack attempts. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Previously I wrote:
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address
On a whim I decided to try it, then I found out/realized this is a "dhcp" address, meaning what hits you TODAY may come from a different source TOMORROW (and if you block THIS address, somewhere down the line a legitimate user may want to view your site, but "by chance" they happen to have the "blocked" IP address right then...) This might also explain (to a degree) why RR's techs don't want to deal with it: it is/was "transient", so if they looked "right now" it may not be a problem (or worse, you'd be fingering an innocent bystander) OF COURSE this means they would need to correlate your logs with theirs [via timestamps] "but that would require work" ;) Overall your best bet is to contact the abuse department [which you're doing] and if they want to call it spam, call it spam -- it's not YOUR fault they have problems classifying abusive network traffic. Either way, this will eventually get that particular user/server "pulled" until they clean up their server, and "overall for the health of the net", that is a good thing :) - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+ekUDV/YHUqq2SwsRAtiBAJwLIvUAYFBsG0V29qdS8EIhv8X/rgCfQQs3 sU9qXVsVjAh3oz7Df56ftxY= =8bmJ -----END PGP SIGNATURE-----
* Tom Emerson
Previously I wrote:
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address
On a whim I decided to try it, then I found out/realized this is a "dhcp" address, meaning what hits you TODAY may come from a different source TOMORROW (and if you block THIS address, somewhere down the line a legitimate user may want to view your site, but "by chance" they happen to have the "blocked" IP address right then...)
Yes, it is a dhcp address as is mine. But, I have had the same ip for 15 months now. Unless you have problems, replace modem or leave the net for an extended period, it seems that they do not change the ip. I show an infinite lease on mine. ???
This might also explain (to a degree) why RR's techs don't want to deal with it: it is/was "transient", so if they looked "right now" it may not be a problem (or worse, you'd be fingering an innocent bystander) OF COURSE this means they would need to correlate your logs with theirs [via timestamps] "but that would require work" ;)
They may have finally got to 24.208.133.143. He was hitting me 15 to 20 times a day and the last time today was at 06:44 -0500 my time.
Overall your best bet is to contact the abuse department [which you're doing] and if they want to call it spam, call it spam -- it's not YOUR fault they have problems classifying abusive network traffic. Either way, this will eventually get that particular user/server "pulled" until they clean up their server, and "overall for the health of the net", that is a good thing :)
I believe that I will start reporting them all. Seems most are rr or rogersnet. One that has hit me 13 times today is 24.208.172.161, Videon CableSystems Alberta Inc VDN-MAX-IA (NET-24-108-168-0-1). No address for the ip contact via whois. The incidents have all been the /default.ida?XXXXXXXXXX type. Geektools says it is RR <grin>. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
participants (5)
-
Minimochi
-
Patrick Shanahan
-
Peer Stefan
-
Togan Muftuoglu
-
Tom Emerson