httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gareth Kirwan" <g...@thermeoneurope.com>
Subject RE: [users@httpd] how to block hackers ?
Date Tue, 21 Jan 2003 23:31:45 GMT
At first I was very confused by this.
I've certainly never noticed such a long and relentless attack on an httpd
server.
When I started to look at it in more detail I realised it's not a person -
it's a worm / hydra.
The speed and proximity of timings of some of the requests rules out human
attempts - but then the distance between some of the requests makes the
notion
of it being automated odd - since it should be almost instant.
It IS possible it was a guy using several screens and typing away - but I
*VERY* much doubt it.
It was trying every which way possible to gain access to private information
on your server, and when it found it didn't get a rejection it would have
reported it's findings to the owner.
It was, in most cases, hoping for a directory listing which it could abuse.

I don't think you need to worry too much.

Get your httpd.conf down to minimal lines with minimal comments, and make
sure you understand them all.
That way you don't have documentation you didn't write - and you can see
what you're dealing with.
Use httpd.apache.org/docs/ as a reference for the commands you don't know.

Apache comes by default with LOADS of stuff you don't need - modules you'll
never use .. bla bla
Cut most of it out.

One of the surprising things about this hack is that he didn't test your
mod_info installation.
If he had he would have instantly had access to a lot of your information
and been able to see your vulnerabilities.
I'm not alerting anyone dangerous to this by telling you it in a mailing
list, so don't get worried... but:
I've just seen that your mod_info IS on, so is extendedStatus AND you don't
have any restrictions on it:
http://www.ezorissa.com/server-info
There a hacker could find out important information about your server and
the versions running on it...
It's a one stop shop for all your weaknesses, build info etc.
For instance: it gives full information on your current mod_ssl
configuration.
You should *immediately* edit your httpd.conf and change the <location>
directive for server-info and server-status to Deny from all, and Allow from
an Ip address - or use require valid-user.
I'm hinging a guess you might need Vim help to ... just vi httpd.conf; then
/server-info to search for it...

That kind of thing you should be able to understand better when you do your
httpd.conf cut down.
You'll find other things in there you've never touched before, look them up
and find out they're dangerous or that you don't need them.
Common stuff to cut out is PHP, and some of the apache modules loaded /
added at the start of the configuration.

As for this attack - once you're sure that your httpd.conf is in good order
attacks like his shouldn't worry you.
It *is* a pain to have your log filled up - and if it's something that's
been sustained you could try tracing the IP address to the ISP and
contacting them about the user logged on at the time.
However you shouldn't need to worry about him getting in once your
httpd.conf is in order - since relying on denying repetitive attacks based
on their repetition leaves you in a hard spot:
You get a false sense of security - and then when someone attacks you from a
random IP-Address - or spoofs it in his request header - then your system
will fail and you might become susceptible to an issue
that you might have not considered before because you were relying on your
denial of requests to iterative rejections.

If you still want to write a script to do this ( and everything I've said
should point you in a different, more secure, direction ) then let me know
and I can help further.

Regards

Gareth

> -----Original Message-----
> From: R'twick Niceorgaw [mailto:public@utkalika.net]

> I have put up some portion of the access and error log on my
> dev site. Take
> a look at them to see what this guy was trying to pull. You
> can find them
> here http://www.ezorissa.com/hack/error.txt
> http://www.ezorissa.com/hack/access.txt I didn't attach them thinking
> attachments might be blocked by the list server.
>
> I'm not sure what i'm trying to do.... but something I have
> in mind for the
> cron job is
> - if some one trying to access non existent files in cgi-bin
> ( or for that
> matter from anywhere) repeatedly then block him
> - if some one trying to access anything outside web root (by using ../
> method) block them even though apache never serves these requests.
>
> I have mod_perl installed but I'm not that familiar with perl
> that much ..
> written few small scripts so far for my learning.
> If you can give me something that can help or even some hints
> it will be of
> great value to me.
>
> Thanks for your help
> -R'twick



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message