httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Biacco <abia...@handll.com>
Subject Re: [users@httpd] Unknown accepted traffic to my site
Date Thu, 06 Oct 2016 22:01:50 GMT
On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago <sporkschivago@gmail.com>
wrote:

> Are you sure they haven't successfully found away in?   There are some
> free programs that I use to help prevent this stuff.   ConfigServer
> Firewall / LFD is a good one.   Rkhunter and chkrootkit scan for rootkits.
>   The big one that helps the most, I feel, is Mod Security.   That's the
> one that monitors the traffic looking for known scanning software,
> exploits, etc and blocks it.   I run in a *nix environment and don't have a
> lot of experience with Windows servers though.   Not sure what you're
> running.   I'm always really paranoid and would definitely be worried about
> by system being compromised if I saw traffic like you're seeing though.
> But again, I'm not really that intelligent when it comes to stuff like this.
>
> Ken
>
>
I was going to suggest mod_security as well. I'm not running it, but it's
on my TODO list. I have to determine the performance implications, if any.

-Tony



> On Thu, Oct 6, 2016 at 5:21 PM, Spork Schivago <sporkschivago@gmail.com>
> wrote:
>
>> Thanks Tony!   Much appreciated.
>>
>> Erik,
>>
>> Did I ever try to run what on my server?   The string query that Berkeley
>> sends looking for the malware to respond?   If so, no, I have never tried
>> to send that carefully crafted packet to my Apache server.   From the
>> previous user who had what appears to be the same issue as Mitchell
>> though, I would imagine it'd probably just deliver my default web page
>> (index.html).   That's my guess though.
>>
>> If anyone cares, I can copy the other e-mails they sent to me that
>> explain how it all works and why the full string isn't in the Apache logs
>> (I think that has something to do with the way Apache responds to the
>> string).
>>
>> They're not actually trying to exploit the server, they're just trying to
>> find servers that have been infected.   If the malware sees a special
>> string, it responds with a special string.   At that point in time, the
>> college contacts the local law enforcement for that area to inform them and
>> hope that they contact the owner of the server to inform them that they're
>> infected.   Not the best way I guess to inform people, but better than
>> nothing I guess.
>>
>> Here, in my city, I doubt the local law enforcement would ever contact me
>> with anything computer related.   I contacted them before because of a
>> crime that happened in my house but because the internet and a computer was
>> involved, they said they couldn't help and my best bet would be trying to
>> contact the FBI or some other government organization.   I doubt anyone at
>> my police station really knows much about PCs.   There doesn't seem to be a
>> cyber crimes division or anything like that.
>>
>> On Thu, Oct 6, 2016 at 4:08 PM, Anthony Biacco <abiacco@handll.com>
>> wrote:
>>
>>>
>>>
>>> On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago <sporkschivago@gmail.com>
>>> wrote:
>>>
>>>>
>>>> There's away to do a reverse IP lookup on the IP address and see if
>>>> there's a DNS entry for it.   That's how I was able to successfully figure
>>>> out who the senders were (Berkeley) originally.   I used dig I believe. 
 I
>>>> don't have access to my Linux box right now, otherwise I'd check to see if
>>>> the IP addresses are actually from Berkeley.   There's always a chance that
>>>> they're using more than one server / IP now to conduct the scanning.   I
>>>> believe they were originally trying to scan the whole internet.
>>>>
>>>>
>>> based on the IP of 169.229.3.91 given by Mitchell:
>>>
>>> 91.3.229.169.in-addr.arpa. 9787 IN      PTR
>>> researchscan1.EECS.Berkeley.EDU.
>>>
>>> University of California - Office of the President UCSD-NET-169-228
>>> (NET-169-229-0-0-1) 169.229.0.0 - 169.233.255.255
>>> University of California at Berkeley ISTDATA (NET-169-229-0-0-2)
>>> 169.229.0.0 - 169.229.255.255
>>>
>>> -Tony
>>>
>>>
>>>
>>> They had said it's a very specific type of malware that only affects IIS
>>>> to their knowledge.   If you're not running a Windows server running IIS,
>>>> you should be good to go.
>>>>
>>>> On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <
>>>> rainer.canavan@sevenval.com> wrote:
>>>>
>>>>> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@arccorp.com>
>>>>> wrote:
>>>>> > From the looks of it I would say it is targeting servers running
>>>>> SSL.  Are
>>>>> > you serving up HTTP or HTTPS ?
>>>>>
>>>>> I don't think that that is valid SSL, unless your httpd discards the
>>>>> first few bytes.
>>>>> There was a SANS handler diary entry just yesterday about this:
>>>>>
>>>>> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT
>>>>> P+Servers/21551/
>>>>>
>>>>> if I try `openssl s_client -connect localhost:14020`, I get the below
>>>>> entry in my access.log,
>>>>> which matches the description in the diary:
>>>>>
>>>>> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
>>>>> "\x16\x03\x01\x01,\x01" 400 226 "-" "-"
>>>>>
>>>>> this, however, is something completely different. I'd also guess it's
>>>>> some kind
>>>>> of vulnerability scan:
>>>>>
>>>>> > IP
>>>>> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
>>>>> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
>>>>> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
>>>>> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xd
>>>>> a\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
>>>>> > 200 48605
>>>>>
>>>>> Rainer
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>
>>>
>>
>

Mime
View raw message