Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse (3103 mails)

< Previous Next >
intrusion detected running apache inetd and SuSEFirewall2 (SuSE8.0)
[dual-boot pc running MS Win ME + SuSE 8.0]

I have just managed to get the latest Conexant "winmodem" driver to enable my
modem
and decided to get some updates via YOU (particularly security patches).

While using YOU to update over dial-up I noticed what seems to be intrusive
activity via port 80.

NOTE: I am also running inetd/apache for learning/play purposes (should they be,
while online?)

Is there a way that I can modify my setup to prevent this (FW_SERVICES_EXT_TCP
seems
to be a likely culprit) ?

(see below
extracts from dmesg ;
/var/log/httpd/error_log ;
/var/log/httpd/access_log ;
and my /etc/sysconfig/SuSEfirewall2)
--------------------------------------------------------------------------------
------------------------------------------------

dmesg
-----
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=36025 DF PROTO=TCP SPT=1177 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=36619 DF PROTO=TCP SPT=1412 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=38203 DF PROTO=TCP SPT=2028 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=41498 DF PROTO=TCP SPT=3309 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=42116 DF PROTO=TCP SPT=3556 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=42660 DF PROTO=TCP SPT=3765 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=43728 DF PROTO=TCP SPT=4165 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=44103 DF PROTO=TCP SPT=4165 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=44691 DF PROTO=TCP SPT=4544 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=45080 DF PROTO=TCP SPT=4544 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=7480 DF PROTO=TCP SPT=3664 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=7662 DF PROTO=TCP SPT=3664 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)
SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.60.157.180 DST=62.60.60.49 LEN=48
TOS=0x00 PREC=0x00 TTL=109 ID=7898 DF PROTO=TCP SPT=3664 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0 OPT (020405B401010402)

/var/log/httpd/error_log
------------------------
[Wed Feb 26 14:19:42 2003] [error] [client 62.60.157.180] File does not exist:
/usr/local/httpd/htdocs/scripts/root.exe
[Wed Feb 26 14:19:52 2003] [error] [client 62.60.157.180] File does not exist:
/usr/local/httpd/htdocs/MSADC/root.exe
[Wed Feb 26 14:20:01 2003] [error] [client 62.60.157.180] File does not exist:
/usr/local/httpd/htdocs/c/winnt/system32/cmd.exe
[Wed Feb 26 14:20:28 2003] [error] [client 62.60.157.180] File does not exist:
/usr/local/httpd/htdocs/d/winnt/system32/cmd.exe
[Wed Feb 26 14:20:32 2003] [error] [client 62.60.157.180] File does not exist:
/usr/local/httpd/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Wed Feb 26 14:20:38 2003] [error] [client 62.60.157.180] File does not exist:
/usr/local/httpd/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Feb 26 14:20:50 2003] [error] [client 62.60.157.180] File does not exist:
/usr/local/httpd/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe


/var/log/httpd/access_log
-------------------------
62.60.157.180 - - [26/Feb/2003:10:41:20 +0000] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 278
62.60.157.180 - - [26/Feb/2003:11:18:32 +0000] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 278
62.60.157.180 - - [26/Feb/2003:11:18:36 +0000] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 276
62.60.157.180 - - [26/Feb/2003:11:18:41 +0000] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
62.60.157.180 - - [26/Feb/2003:11:18:44 +0000] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
62.60.157.180 - - [26/Feb/2003:11:19:01 +0000] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
62.60.157.180 - - [26/Feb/2003:11:19:08 +0000] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 317
62.60.157.180 - - [26/Feb/2003:12:35:22 +0000] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 278
62.60.157.180 - - [26/Feb/2003:12:35:27 +0000] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 276
62.60.157.180 - - [26/Feb/2003:14:19:42 +0000] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 278
62.60.157.180 - - [26/Feb/2003:14:19:52 +0000] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 276
62.60.157.180 - - [26/Feb/2003:14:20:01 +0000] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
62.60.157.180 - - [26/Feb/2003:14:20:28 +0000] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
62.60.157.180 - - [26/Feb/2003:14:20:32 +0000] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
62.60.157.180 - - [26/Feb/2003:14:20:38 +0000] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 317
62.60.157.180 - - [26/Feb/2003:14:20:50 +0000] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 317


/etc/sysconfig/SuSEfirewall2
----------------------------

FW_DEV_EXT="ppp0"

FW_DEV_INT=""

FW_DEV_DMZ=""

FW_ROUTE="no"

FW_MASQUERADE="no"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS=""

FW_PROTECT_FROM_INTERNAL="yes"

FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP="http https pop3 pop3s smtp" (## ??? ##)
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""

FW_TRUSTED_NETS=""

FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"

FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"

FW_FORWARD=""

FW_FORWARD_MASQ=""

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"

FW_KERNEL_SECURITY="yes"

FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"



FW_ALLOW_FW_TRACEROUTE="yes"

FW_ALLOW_FW_SOURCEQUENCH="yes"

FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"

FW_ALLOW_CLASS_ROUTING="no"


< Previous Next >
Follow Ups