Topic: Hacking attempt: suEXEC

[Jason Judge]

This worries me a little in the httpd error log. Is someone firing invalid packets at me to try and break Apache? This suEXEC message: should that be there or has someone got in?

I'm running SME 5.2.1 and from the second I connected it to the cable network I've been getting constant hacking attempts (mostly probing for Windows vulnerabilities). Should I be worried?

-- Jason

[Thu Apr 11 16:48:38 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
[Thu Apr 11 16:48:38 2002] [error] System: Broken pipe (errno: 32)
[Thu Apr 11 21:00:13 2002] [error] [client 61.11.79.18] Client sent malformed Host header
[Thu Apr 11 22:13:23 2002] [notice] SIGUSR1 received.  Doing graceful restart
[Thu Apr 11 22:13:23 2002] [notice] Apache configured -- resuming normal operations
[Thu Apr 11 22:13:23 2002] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 11 22:13:23 2002] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Thu Apr 11 22:20:35 2002] [error] [client 213.23.39.215] Client sent malformed Host header
[Thu Apr 11 22:25:52 2002] [notice] SIGUSR1 received.  Doing graceful restart
[Thu Apr 11 22:25:52 2002] [notice] Apache configured -- resuming normal operations
[Thu Apr 11 22:25:52 2002] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 11 22:25:52 2002] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Bobby]

I have not looked into this yet, but here is information on suEXEC.
http://httpd.apache.org/docs-2.0/suexec.html

[Bobby]

This is taken from Apache.org:



Enabling & Disabling suEXEC
Upon startup of Apache, it looks for the file "suexec" in the "sbin" directory (default is "/usr/local/apache/sbin/suexec"). If Apache finds a properly configured suEXEC wrapper, it will print the following message to the error log:

    [notice] suEXEC mechanism enabled (wrapper: /path/to/suexec)
If you don't see this message at server startup, the server is most likely not finding the wrapper program where it expects it, or the executable is not installed setuid root.
If you want to enable the suEXEC mechanism for the first time and an Apache server is already running you must kill and restart Apache. Restarting it with a simple HUP or USR1 signal will not be enough.
If you want to disable suEXEC you should kill and restart Apache after you have removed the "suexec" file.

[Jason Judge]

If this message should appear on Apache startup, it looks like they are managing to crash my Apache with the mal-formed HTTP GET commands.

It has happened roughly eight times over the last few days. It starts with a rapid bunch of SSL requests (all refused), a quick probe with for some Windows commands then the malformed headers which result in Apache core dumps (but a quick recovery).

It's a horrible feeling - this being hacked lark - like a a perfect stranger walked up to you in the street and punched you in the nose then walked off. I'm sure it's not personal to them, but it is to me when it affects me.

-- Jason

[Grub]

Nothing wrong as i can see....maybe some code red @!#$.... or what ever. If you didn't change suexec permissions... nothing is wrong.

[Grub]

@!#$ = s.h.i.t.

[Rich Lafferty]

There's nothing unusual about those logs at all -- they're normal Apache
logs. The restarts are from SIGUSR1, which means you did something in the
server-manager, or a periodic job ran, which caused a graceful restart of
the webserver. SuEXEC is an Apache feature that lets code execute with
a specific user's permissions, and it's part of the default installation.
There are a couple of lines there where someone has sent a broken Host:
header with a request, which Apache has handled correctly, but reported
for your information. Since so many browsers implement HTTP poorly,
it's not surprising that some would break Host:.

That out of the way, and with risk of sounding repetitive: PLEASE don't
report "I think I might be hacked! Look!" messages to the forums! That's
what security@e-smith.com is for.

Firstly, it's the equivalent of writing a note on your door saying "I think the
lock is broken!", since you've no reason to trust everyone that reads here.

Secondly, it's *also* the equivalent of writing a note on your door saying "I
think everyone with this kind of lock has a broken lock," because if you do
find a real vulnerability in SME Server, there are a lot of people running
the same software that you're exposing. That doesn't help anybody;
letting us know you think you've found a problem and letting us generate
a response, whether a note explaining why it's not a problem or an update
fixing a real vulnerability helps more.

Lastly, it's the equivalent of putting a sign on your door but not telling
the locksmith -- these forums are unsupported, and there's no guarantee
that anyone from Mitel Networks will see your post. But mail sent to the
address designated for security concerns, security@e-smith.com, will
always receive priority attention.

The SME Server team takes security concerns very seriously -- please help
us do so.

Thanks,

--Rich

[Jason Judge]

Rich,

I accept your point about keeping security concerns out of public forums, and will do so in the future. Please accept my humble apologies for giving you cause to waste time having to point this out to me, when I can see now that this has been made clear in the forums already. I'm sure you are already busy enough.

Anyway - the 'lock' appears to be holding up just fine. There are _numerous_ hacking attempts (probably mostly automated), just as I'm sure there would be if I connected a digital watch to the Internet! However, after studying the logs again with my new-found knowledge, NOTHING untoward appears to have ever got through the SME firewall.

Thanks.

-- Jason

[Jason Judge]

Nope - I didn't change any security settings, and have no interest in doing so! The good guys at Mitel are the experts, so I'll leave the configuration to them.

Out of interest, does the Code Red do this kind of attempting hacking from someone elses [Windows] machine, once it is infected? Or would there really be someone sat at the other end running scripts to scan random machines for various [Windows!] vulnerabilities?

-- Jason

[dave]

Jason has simply asked the question "should i be worried". There is no need to jump down his throat with a barrage of metaphorical crap. Get off your high horse Rich.

[Jason Judge]

'sokay Dave - I'm cool about it.

I get to use my favourite FREE SME server and save myself an enormous amount of time and effort. So, I'll abide by the rules and requests of the authors if that's what keeps the whole thing running smoothly.

-- Jason

[Tom Carroll]

Jason, I'm not 100 percent sure about this, but I don't believe codered or nimda use SSL to get at your apache system.  All mine have come in as standard port 80 requests.

What has probably happened is that someone has mistakenly added https at the front of one of your URL's and in fact the page they are trying to bring up is not a secure page.  That would be one of my lines of investigation.  Have you checked the IP block owner to see if it someone you know and asked them what they were doing at that time?

If you can't track who it is, maybe you can have a friend try to do a few things to see if you can repeat the error.  If it is truly a bug, you could then fire off a report to bugs@e-smith.org so they can take a look at it.

Just some thoughts for you to consider...

Tom Carroll