httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spork Schivago <sporkschiv...@gmail.com>
Subject Re: [users@httpd] Unknown accepted traffic to my site
Date Thu, 06 Oct 2016 21:42:31 GMT
Tawasol Go,

I don't think your issue is from the Berkeley scanners.   This is what one
of the Berkeley people involved with the project said:

I grep'd our logs. The full packet payload we sent, base64 encoded was:

XgVB6qH6vhUKgtS97jgjPuVy3wPvMgn8waDBFSu2EfosbL5ygd33ejOw+
eQ2+igTdpUPwmamsW0nQG4/MDIb+g==

Decoded:

00000000  5e 05 41 ea a1 fa be 15  0a 82 d4 bd ee 38 23 3e
|^.A..........8#>|
00000010  e5 72 df 03 ef 32 09 fc  c1 a0 c1 15 2b b6 11 fa
|.r...2......+...|
00000020  2c 6c be 72 81 dd f7 7a  33 b0 f9 e4 36 fa 28 13
|,l.r...z3...6.(.|
00000030  76 95 0f c2 66 a6 b1 6d  27 40 6e 3f 30 32 1b fa  |v...f..m'@n
?02..|

As you can see after the 0x15 we sent 0x0a which just happens to be a
new line character. Apache saw this and marked that as the end of the
request. Thats why the log cuts the request short.



To me, it looks like someone's trying to run exploits on your server.
 I'm not as smart as some of the other users here though.   I wasn't trying
to imply that your issue was caused by the Berkeley scanner, I was just
trying to shed some more light on their scanner and why they're scanning
sites.

Are you sure they haven't successfully found away in?   There are some free
programs that I use to help prevent this stuff.   ConfigServer Firewall /
LFD is a good one.   Rkhunter and chkrootkit scan for rootkits.   The big
one that helps the most, I feel, is Mod Security.   That's the one that
monitors the traffic looking for known scanning software, exploits, etc and
blocks it.   I run in a *nix environment and don't have a lot of experience
with Windows servers though.   Not sure what you're running.   I'm always
really paranoid and would definitely be worried about by system being
compromised if I saw traffic like you're seeing though.   But again, I'm
not really that intelligent when it comes to stuff like this.

Ken

On Thu, Oct 6, 2016 at 5:21 PM, Spork Schivago <sporkschivago@gmail.com>
wrote:

> Thanks Tony!   Much appreciated.
>
> Erik,
>
> Did I ever try to run what on my server?   The string query that Berkeley
> sends looking for the malware to respond?   If so, no, I have never tried
> to send that carefully crafted packet to my Apache server.   From the
> previous user who had what appears to be the same issue as Mitchell
> though, I would imagine it'd probably just deliver my default web page
> (index.html).   That's my guess though.
>
> If anyone cares, I can copy the other e-mails they sent to me that explain
> how it all works and why the full string isn't in the Apache logs (I think
> that has something to do with the way Apache responds to the string).
>
> They're not actually trying to exploit the server, they're just trying to
> find servers that have been infected.   If the malware sees a special
> string, it responds with a special string.   At that point in time, the
> college contacts the local law enforcement for that area to inform them and
> hope that they contact the owner of the server to inform them that they're
> infected.   Not the best way I guess to inform people, but better than
> nothing I guess.
>
> Here, in my city, I doubt the local law enforcement would ever contact me
> with anything computer related.   I contacted them before because of a
> crime that happened in my house but because the internet and a computer was
> involved, they said they couldn't help and my best bet would be trying to
> contact the FBI or some other government organization.   I doubt anyone at
> my police station really knows much about PCs.   There doesn't seem to be a
> cyber crimes division or anything like that.
>
> On Thu, Oct 6, 2016 at 4:08 PM, Anthony Biacco <abiacco@handll.com> wrote:
>
>>
>>
>> On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago <sporkschivago@gmail.com>
>> wrote:
>>
>>>
>>> There's away to do a reverse IP lookup on the IP address and see if
>>> there's a DNS entry for it.   That's how I was able to successfully figure
>>> out who the senders were (Berkeley) originally.   I used dig I believe.   I
>>> don't have access to my Linux box right now, otherwise I'd check to see if
>>> the IP addresses are actually from Berkeley.   There's always a chance that
>>> they're using more than one server / IP now to conduct the scanning.   I
>>> believe they were originally trying to scan the whole internet.
>>>
>>>
>> based on the IP of 169.229.3.91 given by Mitchell:
>>
>> 91.3.229.169.in-addr.arpa. 9787 IN      PTR
>> researchscan1.EECS.Berkeley.EDU.
>>
>> University of California - Office of the President UCSD-NET-169-228
>> (NET-169-229-0-0-1) 169.229.0.0 - 169.233.255.255
>> University of California at Berkeley ISTDATA (NET-169-229-0-0-2)
>> 169.229.0.0 - 169.229.255.255
>>
>> -Tony
>>
>>
>>
>> They had said it's a very specific type of malware that only affects IIS
>>> to their knowledge.   If you're not running a Windows server running IIS,
>>> you should be good to go.
>>>
>>> On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <
>>> rainer.canavan@sevenval.com> wrote:
>>>
>>>> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@arccorp.com> wrote:
>>>> > From the looks of it I would say it is targeting servers running
>>>> SSL.  Are
>>>> > you serving up HTTP or HTTPS ?
>>>>
>>>> I don't think that that is valid SSL, unless your httpd discards the
>>>> first few bytes.
>>>> There was a SANS handler diary entry just yesterday about this:
>>>>
>>>> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT
>>>> P+Servers/21551/
>>>>
>>>> if I try `openssl s_client -connect localhost:14020`, I get the below
>>>> entry in my access.log,
>>>> which matches the description in the diary:
>>>>
>>>> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
>>>> "\x16\x03\x01\x01,\x01" 400 226 "-" "-"
>>>>
>>>> this, however, is something completely different. I'd also guess it's
>>>> some kind
>>>> of vulnerability scan:
>>>>
>>>> > IP
>>>> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
>>>> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
>>>> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
>>>> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xd
>>>> a\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
>>>> > 200 48605
>>>>
>>>> Rainer
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>
>

Mime
View raw message