httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tawasol Go <tawaso...@gmail.com>
Subject Re: [users@httpd] Unknown accepted traffic to my site
Date Fri, 07 Oct 2016 05:31:28 GMT
I use CentOS 7.x also CSF/LFD installed.
Till now they did not get into the server.

I'll look into mod_security.

Thanks,

On Fri, Oct 7, 2016 at 1:01 AM, Anthony Biacco <abiacco@handll.com> wrote:

>
>
> On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago <sporkschivago@gmail.com>
> wrote:
>
>> Are you sure they haven't successfully found away in?   There are some
>> free programs that I use to help prevent this stuff.   ConfigServer
>> Firewall / LFD is a good one.   Rkhunter and chkrootkit scan for rootkits.
>>   The big one that helps the most, I feel, is Mod Security.   That's the
>> one that monitors the traffic looking for known scanning software,
>> exploits, etc and blocks it.   I run in a *nix environment and don't have a
>> lot of experience with Windows servers though.   Not sure what you're
>> running.   I'm always really paranoid and would definitely be worried about
>> by system being compromised if I saw traffic like you're seeing though.
>> But again, I'm not really that intelligent when it comes to stuff like this.
>>
>> Ken
>>
>>
> I was going to suggest mod_security as well. I'm not running it, but it's
> on my TODO list. I have to determine the performance implications, if any.
>
> -Tony
>
>
>
>> On Thu, Oct 6, 2016 at 5:21 PM, Spork Schivago <sporkschivago@gmail.com>
>> wrote:
>>
>>> Thanks Tony!   Much appreciated.
>>>
>>> Erik,
>>>
>>> Did I ever try to run what on my server?   The string query that
>>> Berkeley sends looking for the malware to respond?   If so, no, I have
>>> never tried to send that carefully crafted packet to my Apache server.
>>> From the previous user who had what appears to be the same issue as Mitchell
>>> though, I would imagine it'd probably just deliver my default web page
>>> (index.html).   That's my guess though.
>>>
>>> If anyone cares, I can copy the other e-mails they sent to me that
>>> explain how it all works and why the full string isn't in the Apache logs
>>> (I think that has something to do with the way Apache responds to the
>>> string).
>>>
>>> They're not actually trying to exploit the server, they're just trying
>>> to find servers that have been infected.   If the malware sees a special
>>> string, it responds with a special string.   At that point in time, the
>>> college contacts the local law enforcement for that area to inform them and
>>> hope that they contact the owner of the server to inform them that they're
>>> infected.   Not the best way I guess to inform people, but better than
>>> nothing I guess.
>>>
>>> Here, in my city, I doubt the local law enforcement would ever contact
>>> me with anything computer related.   I contacted them before because of a
>>> crime that happened in my house but because the internet and a computer was
>>> involved, they said they couldn't help and my best bet would be trying to
>>> contact the FBI or some other government organization.   I doubt anyone at
>>> my police station really knows much about PCs.   There doesn't seem to be a
>>> cyber crimes division or anything like that.
>>>
>>> On Thu, Oct 6, 2016 at 4:08 PM, Anthony Biacco <abiacco@handll.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago <sporkschivago@gmail.com
>>>> > wrote:
>>>>
>>>>>
>>>>> There's away to do a reverse IP lookup on the IP address and see if
>>>>> there's a DNS entry for it.   That's how I was able to successfully figure
>>>>> out who the senders were (Berkeley) originally.   I used dig I believe.
  I
>>>>> don't have access to my Linux box right now, otherwise I'd check to see
if
>>>>> the IP addresses are actually from Berkeley.   There's always a chance
that
>>>>> they're using more than one server / IP now to conduct the scanning.
  I
>>>>> believe they were originally trying to scan the whole internet.
>>>>>
>>>>>
>>>> based on the IP of 169.229.3.91 given by Mitchell:
>>>>
>>>> 91.3.229.169.in-addr.arpa. 9787 IN      PTR
>>>> researchscan1.EECS.Berkeley.EDU.
>>>>
>>>> University of California - Office of the President UCSD-NET-169-228
>>>> (NET-169-229-0-0-1) 169.229.0.0 - 169.233.255.255
>>>> University of California at Berkeley ISTDATA (NET-169-229-0-0-2)
>>>> 169.229.0.0 - 169.229.255.255
>>>>
>>>> -Tony
>>>>
>>>>
>>>>
>>>> They had said it's a very specific type of malware that only affects
>>>>> IIS to their knowledge.   If you're not running a Windows server running
>>>>> IIS, you should be good to go.
>>>>>
>>>>> On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <
>>>>> rainer.canavan@sevenval.com> wrote:
>>>>>
>>>>>> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@arccorp.com>
>>>>>> wrote:
>>>>>> > From the looks of it I would say it is targeting servers running
>>>>>> SSL.  Are
>>>>>> > you serving up HTTP or HTTPS ?
>>>>>>
>>>>>> I don't think that that is valid SSL, unless your httpd discards
the
>>>>>> first few bytes.
>>>>>> There was a SANS handler diary entry just yesterday about this:
>>>>>>
>>>>>> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT
>>>>>> P+Servers/21551/
>>>>>>
>>>>>> if I try `openssl s_client -connect localhost:14020`, I get the below
>>>>>> entry in my access.log,
>>>>>> which matches the description in the diary:
>>>>>>
>>>>>> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
>>>>>> "\x16\x03\x01\x01,\x01" 400 226 "-" "-"
>>>>>>
>>>>>> this, however, is something completely different. I'd also guess
it's
>>>>>> some kind
>>>>>> of vulnerability scan:
>>>>>>
>>>>>> > IP
>>>>>> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
>>>>>> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
>>>>>> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
>>>>>> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xd
>>>>>> a\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"
>>>>>> \xed\xa3u"
>>>>>> > 200 48605
>>>>>>
>>>>>> Rainer
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Mime
View raw message