httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "R'twick Niceorgaw" <pub...@utkalika.net>
Subject RE: [users@httpd] how to block hackers ?
Date Wed, 22 Jan 2003 02:05:39 GMT
I too first thought it's some one doing, then thought may be he's running a
script.  
I also don't feel this way he can gain much access, and may be I can
convince my manager with all these info not to worry much. I'll watch the
server log for few more days and if this continues then will try to do
something. 

Thanks for the server-info, server-status stuff on  too . This ezorisa.com
is my personal box. I just got a dedicated box two days ago and moved from a
virtual hosting to here. So was trying to play with it and left these open.
But the attack was on my company's server where these are all blocked :)


-R'twick


-----Original Message-----
From: Gareth Kirwan [mailto:gbjk@thermeoneurope.com] 
Sent: Tuesday, January 21, 2003 6:32 PM
To: users@httpd.apache.org
Subject: RE: [users@httpd] how to block hackers ?


At first I was very confused by this.
I've certainly never noticed such a long and relentless attack on an httpd
server. When I started to look at it in more detail I realised it's not a
person - it's a worm / hydra. The speed and proximity of timings of some of
the requests rules out human attempts - but then the distance between some
of the requests makes the notion of it being automated odd - since it should
be almost instant. It IS possible it was a guy using several screens and
typing away - but I
*VERY* much doubt it.
It was trying every which way possible to gain access to private information
on your server, and when it found it didn't get a rejection it would have
reported it's findings to the owner. It was, in most cases, hoping for a
directory listing which it could abuse.

I don't think you need to worry too much.

Get your httpd.conf down to minimal lines with minimal comments, and make
sure you understand them all. That way you don't have documentation you
didn't write - and you can see what you're dealing with. Use
httpd.apache.org/docs/ as a reference for the commands you don't know.

Apache comes by default with LOADS of stuff you don't need - modules you'll
never use .. bla bla Cut most of it out.

One of the surprising things about this hack is that he didn't test your
mod_info installation. If he had he would have instantly had access to a lot
of your information and been able to see your vulnerabilities. I'm not
alerting anyone dangerous to this by telling you it in a mailing list, so
don't get worried... but: I've just seen that your mod_info IS on, so is
extendedStatus AND you don't have any restrictions on it:
http://www.ezorissa.com/server-info
There a hacker could find out important information about your server and
the versions running on it... It's a one stop shop for all your weaknesses,
build info etc. For instance: it gives full information on your current
mod_ssl configuration. You should *immediately* edit your httpd.conf and
change the <location> directive for server-info and server-status to Deny
from all, and Allow from an Ip address - or use require valid-user. I'm
hinging a guess you might need Vim help to ... just vi httpd.conf; then
/server-info to search for it...

That kind of thing you should be able to understand better when you do your
httpd.conf cut down. You'll find other things in there you've never touched
before, look them up and find out they're dangerous or that you don't need
them. Common stuff to cut out is PHP, and some of the apache modules loaded
/ added at the start of the configuration.

As for this attack - once you're sure that your httpd.conf is in good order
attacks like his shouldn't worry you. It *is* a pain to have your log filled
up - and if it's something that's been sustained you could try tracing the
IP address to the ISP and contacting them about the user logged on at the
time. However you shouldn't need to worry about him getting in once your
httpd.conf is in order - since relying on denying repetitive attacks based
on their repetition leaves you in a hard spot: You get a false sense of
security - and then when someone attacks you from a random IP-Address - or
spoofs it in his request header - then your system will fail and you might
become susceptible to an issue that you might have not considered before
because you were relying on your denial of requests to iterative rejections.

If you still want to write a script to do this ( and everything I've said
should point you in a different, more secure, direction ) then let me know
and I can help further.

Regards

Gareth

> -----Original Message-----
> From: R'twick Niceorgaw [mailto:public@utkalika.net]

> I have put up some portion of the access and error log on my dev site. 
> Take a look at them to see what this guy was trying to pull. You
> can find them
> here http://www.ezorissa.com/hack/error.txt
> http://www.ezorissa.com/hack/access.txt I didn't attach them thinking
> attachments might be blocked by the list server.
>
> I'm not sure what i'm trying to do.... but something I have in mind 
> for the cron job is
> - if some one trying to access non existent files in cgi-bin
> ( or for that
> matter from anywhere) repeatedly then block him
> - if some one trying to access anything outside web root (by using ../
> method) block them even though apache never serves these requests.
>
> I have mod_perl installed but I'm not that familiar with perl that 
> much .. written few small scripts so far for my learning.
> If you can give me something that can help or even some hints
> it will be of
> great value to me.
>
> Thanks for your help
> -R'twick



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message