Re: possible cracking attempt
Thanks for all of the information it was very informative. -- Sean Malloy Registered GNU/Linux User #417855 Happy Hacking! ;-) www.catgrepsort.com
possible cracking attempt
I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs. From /var/www/logs/error_log: [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html [Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/thisdoesnotexistahaha.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cmd.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/Cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cmd.php [Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/stats/cmd.php [Sun Apr 1 00:11:32 2007] [error] [client 212.31.237.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) From /var/www/logs/access_log: 211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] GET http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html HTTP/1.1 404 219 - - 195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] GET /thisdoesnotexistahaha.php HTTP/1.1 404 231 - Mozilla/4.0 (compatible; MSIE 6.0; Win dows 98) 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] GET /cmd.php HTTP/1.1 404 213 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] GET /Cacti/cmd.php HTTP/1.1 404 219 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] GET /cacti/cmd.php HTTP/1.1 404 219 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] GET /portal/cacti/cmd.php HTTP/1.1 404 226 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] GET /portal/cmd.php HTTP/1.1 404 220 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:23 -0500] GET /stats/cmd.php HTTP/1.1 404 219 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 212.31.237.145 - - [01/Apr/2007:00:11:32 -0500] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 400 335 - - Relevant sections from /var/log/pflog: Mar 31 07:35:05.505194 rule 7/(match) pass in on sk0: 211.100.33.61.18484 192.168.1.200.80: S 948480759:948480759(0) win 5840 mss 1460 (DF) Mar 31 07:35:06.012233 rule 7/(match) pass in on sk0: 211.100.33.61.19843 192.168.1.200.80: S 948885882:948885882(0) win 5840 mss 1460 (DF) Mar 31 07:35:06.510805 rule 7/(match) pass in on sk0: 211.100.33.61.18484 192.168.1.200.80: F 1995884956:1995884956(0) ack 3143126464 win 5840 (DF) Mar 31 07:35:06.510826 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.18484: . ack 3247563101 win 17520 (DF) Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.18484: F 2034632638:2034632638(0) ack 3247563101 win 17520 (DF) Mar 31 07:35:07.007274 rule 7/(match) pass in on sk0: 211.100.33.61.19843 192.168.1.200.80: P 313976237:313976414(177) ack 2599760395 win 5840 (DF) Mar 31 07:35:07.007551 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.19843: P 1628794193:1628794608(415) ack 634909823 win 17520 (DF) Mar 31 07:35:07.011766 rule 7/(match) pass in on sk0: 211.100.33.61.18484 192.168.1.200.80: . ack 2 win 5840 (DF) Mar 31 07:35:07.012564 rule 7/(match) pass in on sk0: 211.100.33.61.18484 192.168.1.200.80: . ack 2 win 5840 (DF) Mar 31 07:35:07.012577 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.18484: R 882791806:882791806(0) win 0 (DF) Mar 31 07:35:07.530603 rule 7/(match) pass in on sk0: 211.100.33.61.19843 192.168.1.200.80: . ack 416 win 6432 (DF) Mar 31 07:35:07.531301 rule 7/(match) pass in on sk0: 211.100.33.61.19843 192.168.1.200.80: F 177:177(0) ack 416 win 6432 (DF) Mar 31 07:35:07.531314 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.19843: . ack 634909824 win 17520 (DF) Mar 31 07:35:07.531349 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.19843: F 1628794608:1628794608(0) ack 634909824 win 17520 (DF) Mar 31 07:35:08.026078 rule 7/(match) pass in on sk0: 211.100.33.61.19843 192.168.1.200.80: . ack 417 win 6432 (DF) Mar 31 07:40:20.734863 rule 7/(match) pass in on sk0: 195.242.236.131.50589 192.168.1.200.80: S 659790987:659790987(0) win 5840 mss 1460,sackOK,timestamp 136657612[|tcp] (DF) Mar 31 07:40:20.997669 rule 7/(match) pass in on sk0: 195.242.236.131.50589 192.168.1.200.80: P 2993725956:2993726166(210) ack 3385222108 win 5840 (DF) Mar 31 07:40:20.997846 rule 7/(match) pass out on sk0:
Re: possible cracking attempt
On 4/1/07, Sean Malloy [EMAIL PROTECTED] wrote: I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs. u From /var/www/logs/error_log: [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html [Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/thisdoesnotexistahaha.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cmd.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/Cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cmd.php [Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/stats/cmd.php [Sun Apr 1 00:11:32 2007] [error] [client 212.31.237.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) From /var/www/logs/access_log: 211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] GET http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html HTTP/1.1 404 219 - - 195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] GET /thisdoesnotexistahaha.php HTTP/1.1 404 231 - Mozilla/4.0 (compatible; MSIE 6.0; Win dows 98) I have not noticed any weirdness in any other logs files. What can I do to stop this from happening? Thanks in advance. You fundamentally can't stop it, based on the HTTP model. You could throw in some hacks like searching for suspiciousness like this and adding blocks to those addresses, but that's generally a bad idea because of all the endusers on DHCP. Just ignore it. So long as your system is actually secure you have nothing to worry about (except DDoS but there's no way to prevent that either). -Nick
Re: possible cracking attempt
On Sun, Apr 01, 2007 at 04:23:07PM -0500, Sean Malloy wrote: I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs. From /var/www/logs/error_log: [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html [Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/thisdoesnotexistahaha.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cmd.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/Cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cmd.php [Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/stats/cmd.php [Sun Apr 1 00:11:32 2007] [error] [client 212.31.237.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) Yes, that's a scan. Nothing to worry about. From /var/www/logs/access_log: 211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] GET http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html HTTP/1.1 404 219 - - 195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] GET /thisdoesnotexistahaha.php HTTP/1.1 404 231 - Mozilla/4.0 (compatible; MSIE 6.0; Win dows 98) 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] GET /cmd.php HTTP/1.1 404 213 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] GET /Cacti/cmd.php HTTP/1.1 404 219 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] GET /cacti/cmd.php HTTP/1.1 404 219 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] GET /portal/cacti/cmd.php HTTP/1.1 404 226 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] GET /portal/cmd.php HTTP/1.1 404 220 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 195.242.236.131 - - [31/Mar/2007:07:40:23 -0500] GET /stats/cmd.php HTTP/1.1 404 219 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 212.31.237.145 - - [01/Apr/2007:00:11:32 -0500] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 400 335 - - Relevant sections from /var/log/pflog: Mar 31 07:35:05.505194 rule 7/(match) pass in on sk0: 211.100.33.61.18484 192.168.1.200.80: S 948480759:948480759(0) win 5840 mss 1460 (DF) Mar 31 07:35:06.012233 rule 7/(match) pass in on sk0: 211.100.33.61.19843 192.168.1.200.80: S 948885882:948885882(0) win 5840 mss 1460 (DF) Mar 31 07:35:06.510805 rule 7/(match) pass in on sk0: 211.100.33.61.18484 192.168.1.200.80: F 1995884956:1995884956(0) ack 3143126464 win 5840 (DF) Mar 31 07:35:06.510826 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.18484: . ack 3247563101 win 17520 (DF) Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.18484: F 2034632638:2034632638(0) ack 3247563101 win 17520 (DF) You should figure out what this means; your web server, presumably, is blocked by pf. That means that the web server is doing something you didn't think it should when writing the rules. What is that? (Hard to say without access to pf.conf...) I have not noticed any weirdness in any other logs files. What can I do to stop this from happening? Thanks in advance. Not much, it's just background noise. Keep patched, and ignore it. Joachim -- TFMotD: fflagstostr, strtofflags (3) - convert between file flag bits and their string names
Re: possible cracking attempt
On 2007/04/01 23:51, Joachim Schipper wrote: Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.18484: F 2034632638:2034632638(0) ack 3247563101 win 17520 (DF) You should figure out what this means; your web server, presumably, is blocked by pf. huh? it says PASS.
Re: possible cracking attempt
On Sun, Apr 01, 2007 at 11:29:46PM +0100, Stuart Henderson wrote: On 2007/04/01 23:51, Joachim Schipper wrote: Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: 192.168.1.200.80 211.100.33.61.18484: F 2034632638:2034632638(0) ack 3247563101 win 17520 (DF) You should figure out what this means; your web server, presumably, is blocked by pf. huh? it says PASS. Woopsie... it does, of course. Sorry! Please ignore that part. Joachim -- PotD: x11/gnome/icon-theme - the base GNOME icon theme
Re: possible cracking attempt
Hello, Nick ! wrote: On 4/1/07, Sean Malloy [EMAIL PROTECTED] wrote: I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs. u From /var/www/logs/error_log: [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html [ skipped ] I have not noticed any weirdness in any other logs files. What can I do to stop this from happening? Thanks in advance. You fundamentally can't stop it, based on the HTTP model. You could throw in some hacks like searching for suspiciousness like this and adding blocks to those addresses, but that's generally a bad idea because of all the endusers on DHCP. Just ignore it. So long as your system is actually secure you have nothing to worry about (except DDoS but there's no way to prevent that either). -Nick I used to have my logs scanned for these entries, and report them to the authorities responsible for source IP addresses. Most of them would go to SBC or Comcast, but some would go to small networks who do like knowing that their systems are infected or are used for hacking. -- Pawel.
Re: possible cracking attempt
On 4/1/07, Pawel S. Veselov [EMAIL PROTECTED] wrote: On 4/1/07, Sean Malloy [EMAIL PROTECTED] wrote: I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs. u From /var/www/logs/error_log: [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html I used to have my logs scanned for these entries, and report them to the authorities responsible for source IP addresses. Most of them would go to SBC or Comcast, but some would go to small networks who do like knowing that their systems are infected or are used for hacking. How? How could you automate ID'ing these? If you used some sort of heuristic method you risk blacklisting innocent users. Anyway, /htdocs/thisdoesnotexistahaha.php and '/w00tw00t.at.ISC.SANS.DFind:) show that it's just some kid learning the ropes. I wouldn't want to report him. -Nick
Re: possible cracking attempt
Nick ! wrote: On 4/1/07, Pawel S. Veselov [EMAIL PROTECTED] wrote: On 4/1/07, Sean Malloy [EMAIL PROTECTED] wrote: I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs. u From /var/www/logs/error_log: [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html I used to have my logs scanned for these entries, and report them to the authorities responsible for source IP addresses. Most of them would go to SBC or Comcast, but some would go to small networks who do like knowing that their systems are infected or are used for hacking. How? How could you automate ID'ing these? If you used some sort of heuristic method you risk blacklisting innocent users. I wasn't blacklisting myself, only reporting to what supposedly was an authority. I was using RIPE and whois.abuse.org, until it became too cumbersome to figure out what is the email address complains should be sent to. Just looking over what I had then, I now stumbled on this article: http://www.ripe.net/db/news/abuse-proposal-20050331.html which supposedly should help finding the abuse email address easier, though I failed to find an email for my own ip :) Anyway, /htdocs/thisdoesnotexistahaha.php and '/w00tw00t.at.ISC.SANS.DFind:) show that it's just some kid learning the ropes. I wouldn't want to report him. and it probably wouldn't be paid much attention to until it becomes a regular activity with enough complaints. However, I don't believe that large providers pay any real attention at all, due to the sheer volume of the complaints they receive. -- Pawel.
Re: possible cracking attempt
Nick ! [EMAIL PROTECTED] writes: Anyway, /htdocs/thisdoesnotexistahaha.php and '/w00tw00t.at.ISC.SANS.DFind:) show that it's just some kid learning the ropes. I wouldn't want to report him. Why not? Beat them up when they are young and maybe they'll learn to behave. You can't teach an old dog new tricks, so you have to catch him when he's still young. //art
Re: possible cracking attempt
On 02 Apr 2007 03:16:20 +0200, Artur Grabowski [EMAIL PROTECTED] wrote: Nick ! [EMAIL PROTECTED] writes: Anyway, /htdocs/thisdoesnotexistahaha.php and '/w00tw00t.at.ISC.SANS.DFind:) show that it's just some kid learning the ropes. I wouldn't want to report him. Why not? Beat them up when they are young and maybe they'll learn to behave. You can't teach an old dog new tricks, so you have to catch him when he's still young. Oh well that's no fun. If you do that you just turn him (or her, in rare lucky cases) into a burned out, angry and paranoid shell. There's no creativity in that. And you can't protect yourself from a cracker unless you can think like a cracker etc, etc, other practicality-based arguments, etc. But mostly that it's no fun. -Nick p.s. By the way, I love your rant.html
Re: possible cracking attempt
Anyway, /htdocs/thisdoesnotexistahaha.php and '/w00tw00t.at.ISC.SANS.DFind:) show that it's just some kid learning the ropes. I wouldn't want to report him. Why not? Beat them up when they are young and maybe they'll learn to behave. You can't teach an old dog new tricks, so you have to catch him when he's still young. Oh well that's no fun. If you do that you just turn him (or her, in rare lucky cases) into a burned out, angry and paranoid shell. Sure, but people with Walmart jobs are a whole lot less dangerous...
Re: possible cracking attempt
Nick ! [EMAIL PROTECTED] writes: On 02 Apr 2007 03:16:20 +0200, Artur Grabowski [EMAIL PROTECTED] wrote: Nick ! [EMAIL PROTECTED] writes: Anyway, /htdocs/thisdoesnotexistahaha.php and '/w00tw00t.at.ISC.SANS.DFind:) show that it's just some kid learning the ropes. I wouldn't want to report him. Why not? Beat them up when they are young and maybe they'll learn to behave. You can't teach an old dog new tricks, so you have to catch him when he's still young. Oh well that's no fun. If you do that you just turn him (or her, in rare lucky cases) into a burned out, angry and paranoid shell. There's no creativity in that. And you can't protect yourself from a cracker unless you can think like a cracker etc, etc, other practicality-based arguments, etc. But mostly that it's no fun. Actually, it is quite a lot of fun. At work we've dealt with numerous wannabe crackers by simply calling their mom. And in cases where it didn't work, by having our lawyer call them and their mom. Watching a kid that tried to hurt you pee his pants is very amusing. //art
Re: possible cracking attempt
Theo de Raadt wrote: Sure, but people with Walmart jobs are a whole lot less dangerous... talk about vendor lock-in! http://reclaimdemocracy.org/walmart/workers_locked_in.html