Topic: hacking???

[sander]

i had a look at the log files in http/error_log and saw something very interesting.

I wonder if this is some kind of a hacker that wants to get access to my server.
I installed sme on friday and so soon i have errors. I will copy-paste them here.

[Sat Oct 13 08:34:58 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/root.exe
[Sat Oct 13 08:34:58 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/MSADC/root.exe
[Sat Oct 13 08:34:59 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/c/winnt/system32/cmd.exe
[Sat Oct 13 08:35:02 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/d/winnt/system32/cmd.exe
[Sat Oct 13 08:35:02 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Oct 13 08:35:02 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Oct 13 08:35:02 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Oct 13 08:35:02 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Sat Oct 13 08:35:05 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..Á../winnt/system32/cmd.exe
[Sat Oct 13 08:35:51 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..À¯../winnt/system32/cmd.exe
[Sat Oct 13 08:35:51 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..Áœ../winnt/system32/cmd.exe
[Sat Oct 13 08:35:51 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Oct 13 08:35:55 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%2f../winnt/system32/cmd.exe
[Sat Oct 13 09:37:41 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/root.exe
[Sat Oct 13 09:37:41 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/MSADC/root.exe
[Sat Oct 13 09:37:41 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/c/winnt/system32/cmd.exe
[Sat Oct 13 09:37:41 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/d/winnt/system32/cmd.exe
[Sat Oct 13 09:37:41 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Oct 13 09:37:41 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Oct 13 09:37:41 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Oct 13 09:37:42 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Sat Oct 13 09:37:42 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..Á../winnt/system32/cmd.exe
[Sat Oct 13 09:37:42 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..À¯../winnt/system32/cmd.exe
[Sat Oct 13 09:37:45 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..Áœ../winnt/system32/cmd.exe
[Sat Oct 13 09:37:48 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Oct 13 09:37:49 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%2f../winnt/system32/cmd.exe
[Sat Oct 13 11:27:07 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/root.exe
[Sat Oct 13 11:27:07 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/MSADC/root.exe
[Sat Oct 13 11:27:07 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/c/winnt/system32/cmd.exe
[Sat Oct 13 11:27:10 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/d/winnt/system32/cmd.exe
[Sat Oct 13 11:27:10 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Oct 13 11:27:10 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Oct 13 11:27:11 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Oct 13 11:27:11 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Sat Oct 13 11:27:14 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..Á../winnt/system32/cmd.exe
[Sat Oct 13 11:27:18 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..À¯../winnt/system32/cmd.exe
[Sat Oct 13 11:27:18 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..Áœ../winnt/system32/cmd.exe
[Sat Oct 13 11:27:22 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Oct 13 11:27:22 2001] [error] [client 212.47.92.85] File does not exist: /home/e-smith/files/primary/html/scripts/..%2f../winnt/system32/cmd.exe

here you can obiously see the ip address of the "attacker".

Is this a hacking process for a windows based computer (server)? If it is, I am very happy obout choosing e-smith as my server.

Thanks in advance

Sander

[Dan Brown]

Do a forum search on "nimda".  Short version--you're getting hit with attempts from the nimda worm, which won't do anything but consume a bit of bandwidth.

[Dan]

...and a bit of log space in in your access_log

[Sander]

i searched forums for naviat, but i couldnt understand how to get rid of these hackings?
can anyone copy-paste the right way to get rid of this worm attacking my e-smith box? I would appreciate it a lot.

I really dont have to put zonealarm as my personal firewall again? I think e-smith is the best firewall i know. as all of you know, zonealarm brings down the speed of download.

hope you can help me

Sander

[Dan Brown]

There's no way to get rid of it, but it doesn't do anything.

[Adam Rykala]

You cannot get rid of them - they're other people trying to get into you and failing.

The worm is often on servers without the admin's awareness. The only way you can stop them is to drop them via IPCHAINS. Go to www.psionic.com/abacus and download and install a "PortSentry" RPM - you can get it from RedHat's RPM download site. Also consider LogCheck as well.

Port Sentry can block IP's based on some pretty advanced heuristics.

The worm is on other people's machines. You cannot stop them short of telling their admins!!! But you can block them using IPCHAINS from connecting.

The worm relies on certain issues with Microsoft's IIS if unpatched. On e-smith and its Apache web server you have NOTHING to worry about. Its being bounced out, much more then ZoneAlarm could EVER do.

In fact, be thankful its being logged. It should serve as a reminder that there are many people out there who do not secure their systems.

As a thought - are you using your e-smith box as an internet webserver? If you aren't serving pages to the world, then you should have selected Private Servber and Gateway and then Ipchains tells them all "Bye Bye"

[Sander]

Well i downloaded and installed the rpm. Do i have to configure it somehow or does it work from now on(send mail to the admin mailbox?)

thanks for the program tip

Sander

[Adam Rykala]

For portsentry
pico /etc/rc.local and add the following lines to the end

/usr/sbin/portsentry -atcp
/usr/sbin/portsentry -audp

now go to the directory /etc/portsentry and edit the two files there with pico. They're fully self explanatory.

Reboot
Thats it

Any entries will get dropped into /etc/hosts.deny (using TCPWrappers to deny entry) and a route command will hedge them off to 127.0.0.1

Any alerts will end up in /var/log/messages. As my e-smith box is a home server I leave the second screen logged in with

tail -f /var/log/messages

running

For Logcheck
No need to do nothing - adds itself to your crontab and emails you suspicious entries from /var/log/messages on an hourly basis


Read the Documentation on their website. The stuff is amazing and really really simple to use.

[Patrick Basile]

Adam Rykala wrote:
>
> For portsentry
> pico /etc/rc.local and add the following lines to the end
>
> /usr/sbin/portsentry -atcp
> /usr/sbin/portsentry -audp
>
> now go to the directory /etc/portsentry and edit the two
> files there with pico. They're fully self explanatory.
>
> Reboot
> Thats it

- Are the above instructions for a 'standard' install, or is this a special case?  I have a server getting hit with lots of Nimda attacks, and I'd like to 'drop' those attacks if possible (but still log them!).  Check out this link to see all the Nimda attacks: http://64.3.180.188/apache-hits.php

> Any entries will get dropped into /etc/hosts.deny (using
> TCPWrappers to deny entry) and a route command will hedge
> them off to 127.0.0.1
>
> Any alerts will end up in /var/log/messages. As my e-smith
> box is a home server I leave the second screen logged in with
>
> tail -f /var/log/messages
>
> running

- Could you be more specific about what the above command does?  Is this just streaming the alerts on your server console?

> For Logcheck
> No need to do nothing - adds itself to your crontab and
> emails you suspicious entries from /var/log/messages on an
> hourly basis

- I am running Logcheck, and it works great.

Have you heard of LaBrea (http://www.hackbusters.net/LaBrea/) "tarpit"?  Any thoughts?

Thanks.

Regards,
Patrick

[Dan Brown]

Portsentry is intended to stop portscans against your machine.  When it detects them, it blocks the scanning computer.  A Nimda probe is not a port scan; it's simply an http request.  I'm far from a portsentry guru, but I'd be very surprised if it'd have any effect on nimda (or code red, etc.) probes.

To repeat, yet again--it's nothing to worry about, it's not doing any harm, and even blocking the hosts that have already probed you isn't likely to do much (if any) good, as they tend to be new hosts each time.