Hi again :)
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. I help-chatted with a RR rep who apparently was reading from a script. He kept asking me if it was spam <grin>. Didn't know about firewall and httpd logs.
Yes I know these reps.
firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=31653 DF PROTO=TCP SPT=1492 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:21 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32087 DF PROTO=TCP SPT=1588 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:25 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32532 DF PROTO=TCP SPT=1674 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) ..... there are 11 similar lines
Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...
httpd: 24.208.133.143 - - [20/Mar/2003:06:44:20 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 24.208.133.143 - - [20/Mar/2003:06:44:23 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 24.208.133.143 - - [20/Mar/2003:06:44:27 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:31 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:34 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 24.208.133.143 - - [20/Mar/2003:06:44:38 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe ?/c+dir HTTP/1.0" 404 321
This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at http://www.opennet.ru/tips/sml/41.shtml how to block Nimda-requests with iptables. Or use Apache configuration directives to exclude Nimda-requests from your log (http://paulbeard.no-ip.org/movabletype/archives/000054.html).
You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.)
iptables -L | grep 24.208.133.143:
DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- anywhere dhcp024-208-133-143.insight.rr.com
Is there a chance that before these DROPs there's something like "ALLOW http ..." ?
If these don't help, I'd begin to check for rootkits and logging the network traffic between your host and the evil ip-address. But be careful - according to the hostname it's an DHCP-address, so it may be changing.
Will report back, tks
According to the symptoms I don't think of rootkits anymore. I think that http traffic is allowed, no matter what the source address is and your DROPs just come too late in the iptables order. (And I don't think that this user is an evil one who has many computer skills, apart from being a magnet for worms, viruses and trojan horses ;o) regards, Stefan