Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: David Woolley on February 01, 2003, 05:34:05 PM

Title: Interpreting remote access logs.
Post by: David Woolley on February 01, 2003, 05:34:05 PM

I'm not too good at distinguishing between remote access requests..

ips 62.22.86.3 , 217.106.95.203 and 217.40.37.36  are unknown to me.  Does it look like these users had been authenticated?

Is there a log file of authenticated remote log ins?

Many thanks

David

The following copied from my  SME 5.5U2.  


Viewed at Sat Feb 1 13:26:38 2003.

[Sat Feb  1 01:12:06 2003] [notice] Apache configured -- resuming normal operations
[Sat Feb  1 01:12:06 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Feb  1 01:12:06 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Sat Feb  1 06:52:37 2003] [error] [client 62.22.86.3] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sat Feb  1 06:52:48 2003] [error] mod_ssl: SSL handshake failed (server www.editvideo.info:443, client 62.22.86.3) (OpenSSL library error follows)
[Sat Feb  1 06:52:48 2003] [error] OpenSSL: error:1406B458:lib(20):func(107):reason(1112)
[Sat Feb  1 07:31:50 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/scripts/root.exe
[Sat Feb  1 07:31:50 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/MSADC/root.exe
[Sat Feb  1 07:31:50 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/c/winnt/system32/cmd.exe
[Sat Feb  1 07:31:50 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/d/winnt/system32/cmd.exe
[Sat Feb  1 07:31:50 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Feb  1 07:31:51 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Feb  1 07:31:51 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sat Feb  1 07:31:51 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Sat Feb  1 07:31:51 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/scripts/..Á../winnt/system32/cmd.exe
[Sat Feb  1 07:31:51 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/scripts/..À¯../winnt/system32/cmd.exe
[Sat Feb  1 07:31:51 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/scripts/..Áœ../winnt/system32/cmd.exe
[Sat Feb  1 07:31:52 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Sat Feb  1 07:31:52 2003] [error] [client 217.40.37.36] File does not exist: /home/e-smith/files/primary/html/scripts/..%2f../winnt/system32/cmd.exe
[Sat Feb  1 12:52:25 2003] [error] [client 217.106.95.203] File does not exist: /home/e-smith/files/primary/html/sumthin

Title: Re: Interpreting remote access logs.
Post by: Graeme Fleming on February 01, 2003, 06:22:07 PM

No they have been rejected.  This is an attempt by a trojan to take control of a MS Windows IIS server; my system gets these hits all the time:

WEB-IIS cmd.exe access        web-application-attack        688 (68%)        1        34        1        2003-01-23 09:05:16        2003-02-01 17:44:01

[url] WEB-IIS CodeRed v2 root.exe access        web-application-attack        122 (12%)        1        33        1        2003-01-23 09:05:15        2003-02-01 17:43:50    

Install Snort/Acid for an Intrusion Detection System that is far more informative (see Darrells Howto on myezserver.com)

Title: Re: Interpreting remote access logs.
Post by: David Woolley on February 01, 2003, 06:31:13 PM

Thanks for the quick response Graeme.

Is there something in my quote that tells you they were rejected, or do you just know by experience?

The final request, from 217.106.95.203 looks different from the others?

I'll check out the Snort/Acid.  Thanks for that

David

Title: Re: Interpreting remote access logs.
Post by: Graeme Fleming on February 01, 2003, 10:31:38 PM

The 'error' is first clue.

The second clue is that the commands that are trying to execute cannot be run on an SME box cos the files and their locations don't exist.

The last command is trying to execute a file that may or may not exist in the WWW virtual root.  Assuming 'public' don't have write access to this location then it would take some trickery to get the file into this location and then further trickery to actually persuade it to run; mostly beyond ya average script kiddie.

While it is possible to circumvent almost any security given enough time, motivation, and resources it is unlikely it would be worth it for the type of person(s) with the requisite talent unless their is a nice big 'prize' to be had.

That my 10 cents worth at least :-)

Title: Re: Interpreting remote access logs.
Post by: David Woolley on February 02, 2003, 01:41:23 AM

Thanks Graeme.

I've installed Snort/Acid on a test server and it has trapped two unknown access attempts already thisafternoon.  I like the Guardian add-on that quarantines dodgy ips for a day and emails me when it does.  Neat.

Will keep it monitored.

David