Hi! Dunna if this is thr right list, but i need help blocking IP's from access to my network. I get a few "tries" similar to: 213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe? /c+dir HTTP/1.0" 404 270 213.66.14.220 - - [02/Nov/2002:16:46:16 +0100] "GET /MSADC/root.exe? /c+dir HTTP/1.0" 404 268 213.66.14.220 - - [02/Nov/2002:16:46:19 +0100] "GET /c/winnt/system32 /cmd.exe?/c+dir HTTP/1.0" 404 278 213.66.14.220 - - [02/Nov/2002:16:46:23 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 And so forth... Is there a way to block them automagically, or do i have to do it "by hand"? Also: I nmap my gateway: server:~ # nmap -sT 213.66.182.24 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 631/tcp open unknown 1009/tcp open unknown 1025/tcp open listen Nmap run completed -- 1 IP address (1 host up) scanned in 1 second I run iptables and try to block 111,139,631,1009 and 1025 iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP but it is still open if i check again. Why? -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
* Rikard Johnels;
Hi! Dunna if this is thr right list, but i need help blocking IP's from access to my network. I get a few "tries" similar to: 213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe? /c+dir HTTP/1.0" 404 270 Is there a way to block them automagically, or do i have to do it "by hand"? Use the Apache itself
SetEnvIf Request_URI "root.exe|cmd.exe|default.ida" bad-req ErrorLog /var/log/httpd/faq_error.log CustomLog /var/log/httpd/faq_acces.log combined env=!bad-req Use it in your server conf and these things will now show in your logs
Also: I nmap my gateway:
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
I run iptables and try to block 111,139,631,1009 and 1025 iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP but it is still open if i check again. Why?
Where did you ran the nmap from inside ? -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi
213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe? /c+dir HTTP/1.0" 404 270
Someone is trying to see if they can creep in thru Your web-server...
And so forth... Is there a way to block them automagically, or do i have to do it "by hand"?
From http://freshmeat.net You could find some clever scripts that can do it.
Also: I nmap my gateway: server:~ # nmap -sT 213.66.182.24
Did You do it from "outside" or from the gateway/LAN.. the result is different.
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 631/tcp open unknown 1009/tcp open unknown 1025/tcp open listen
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
I run iptables and try to block 111,139,631,1009 and 1025 iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP but it is still open if i check again. Why?
Have a look in /etc/inetd.conf, some of the services might be there, and comes before the firewall in incoming queue. Jaska.
On Saturday 02 November 2002 18.23, jaakko tamminen wrote:
Hi
213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe? /c+dir HTTP/1.0" 404 270
Someone is trying to see if they can creep in thru Your web-server...
And so forth... Is there a way to block them automagically, or do i have to do it "by hand"?
From http://freshmeat.net You could find some clever scripts that can do it.
Also: I nmap my gateway: server:~ # nmap -sT 213.66.182.24
Did You do it from "outside" or from the gateway/LAN.. the result is different.
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 631/tcp open unknown 1009/tcp open unknown 1025/tcp open listen
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
I run iptables and try to block 111,139,631,1009 and 1025 iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP but it is still open if i check again. Why?
Have a look in /etc/inetd.conf, some of the services might be there, and comes before the firewall in incoming queue.
Jaska.
That someone is trying is obvious :) The thing is i hav TWO attempts of the exact same type in less then 1 hr. [02/Nov/2002:16:09:41 +0100] and [02/Nov/2002:16:46:13 +0100] One address in Germany and one in Sweden. Go figure... I scanned from the "inside", that is from the server itself. I have no way of scanning from the outside at this point.. :( The inet.conf is "clean". (ie. Nothing enabled) So how can i check "myself"? -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
* Rikard Johnels;
On Saturday 02 November 2002 18.23, jaakko tamminen wrote: I scanned from the "inside", that is from the server itself. I have no way of scanning from the outside at this point.. :( The inet.conf is "clean". (ie. Nothing enabled) So how can i check "myself"?
http://www.inprotect.com http://www.securityspace.com They do scan you as long as you are willing to :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Saturday 02 November 2002 18.02, Togan Muftuoglu wrote:
* Rikard Johnels;
on 02 Nov, 2002 wrote: On Saturday 02 November 2002 18.23, jaakko tamminen wrote: I scanned from the "inside", that is from the server itself. I have no way of scanning from the outside at this point.. :( The inet.conf is "clean". (ie. Nothing enabled) So how can i check "myself"?
http://www.inprotect.com http://www.securityspace.com
They do scan you as long as you are willing to :-)
I added the linest suggested. I DO get the faq-access log, but still the old one too.. a lesser problem tho... What is the iptable syntax for blocking the specified ip? Is there any use reporting such attempts? -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
* Rikard Johnels;
On Saturday 02 November 2002 18.02, Togan Muftuoglu wrote:
I added the linest suggested. I DO get the faq-access log, but still the old one too.. a lesser problem tho...
Will I send you my very own configuration you *should* have adapted to your needs ie name of the log file
What is the iptable syntax for blocking the specified ip?
I suggest you use SuSEfirewall2 and to loarn more about iptables http://iptables-tutorial.frozentux.net/chunkyhtml/book1.html
Is there any use reporting such attempts?
I know two of them http://www.dshield.org and http://analyzer.securityfocum.com basicly with the aid of the programs/scripts you will find in the above locations you can pretty much automate the process but the real truth of the matter does it worth it ? Have they craked in what is the damage they have done if it is just a few more lines in your log files skip it -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi As togan already replied, don't worry, because that is a M$-script kiddie trying to get into an IIS server. Your our of danger. And he also gave You instructions how to rid of that message. To scan from outside, You need someone who You can trust to do it. Jaska. On Saturday 02 November 2002 18:44, Rikard Johnels wrote:
On Saturday 02 November 2002 18.23, jaakko tamminen wrote:
Hi
213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe? /c+dir HTTP/1.0" 404 270
Someone is trying to see if they can creep in thru Your web-server...
And so forth... Is there a way to block them automagically, or do i have to do it "by hand"?
From http://freshmeat.net You could find some clever scripts that can do it.
Also: I nmap my gateway: server:~ # nmap -sT 213.66.182.24
Did You do it from "outside" or from the gateway/LAN.. the result is different.
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 631/tcp open unknown 1009/tcp open unknown 1025/tcp open listen
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
I run iptables and try to block 111,139,631,1009 and 1025 iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP but it is still open if i check again. Why?
Have a look in /etc/inetd.conf, some of the services might be there, and comes before the firewall in incoming queue.
Jaska.
That someone is trying is obvious :) The thing is i hav TWO attempts of the exact same type in less then 1 hr. [02/Nov/2002:16:09:41 +0100] and [02/Nov/2002:16:46:13 +0100] One address in Germany and one in Sweden. Go figure...
I scanned from the "inside", that is from the server itself. I have no way of scanning from the outside at this point.. :( The inet.conf is "clean". (ie. Nothing enabled) So how can i check "myself"?
participants (3)
-
jaakko tamminen
-
Rikard Johnels
-
Togan Muftuoglu