Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 20 Oct 2001 16:45:48 -0500
From:      "Adam Wood" <woodfucius@yahoo.com>
To:        <freebsd-questions@freebsd.org>
Subject:   RE: attackers! How do I know whether or not they were successful?
Message-ID:  <000001c159b0$95518b70$01000001@wood>
In-Reply-To: <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
RE: attackers! How do I know whether or not they were successful?


I noticed in my logs what appears to be an attempt to try a buffer
overflow in my apache logs. I've included the excerpts from my logs
below for reference.

My questions:

>>1) I haven't opened up port 80 with my firewall. How did they connect?
Is there a problem with my rules? (I've >>included those below for
reference as well)
I don't see a rule similar to the default "65535 deny ip from any to
any" at the end of your ruleset to block any packets not accounted for
by the preceding rules.  That may be it, but I'm new to freebsd, so I'll
defer that question to the more experienced users.

>>2) How can I tell how successful the attempt was?
The attempt was not successful, since you do not have a default.ida file
on your system, thus there is nothing to exploit.

>>3) Any ideas what the attempt was trying to do? Is this a known
exploit? Where would I find out?
This is a scan from a windows machine infected with the Code Red worm.
It is trying to exploit a known hole in the Indexing Service DLL used by
Microsoft's POS, ahem,  I mean IIS server software package.  You're not
affected since you run FreeBSD.  More info at
http://www.cert.org/advisories/CA-2001-19.html

>>4) What do I do now? Anything else I should do?
You don't need to worry about this, as Apache is simply replying with
the "...malformed Host header" or a "file does not exist" error message.
The @home network is full of these kinds of machines that have yet to be
patched, so the only potential problem is your logs getting too big and
filling up the partition you have them on.  I think there are some tools
that will reject this type of request, as well as those generated by the
sequel to this worm (Code Red II), and the newer, nastier Nimda worm.
Anyone know of any off hand?

Thanks for all your help in this.
Mike

Notes:
I have FreeBSD 4.4 recently installed from an iso image.

My Firewall Rules:
block in     on dc0
block in log quick on dc0 from 192.168.0.0/16 to any
block in log quick on dc0 from 172.16.0.0/12 to any
block in log quick on dc0 from 10.0.0.0/8 to any
block in log quick on dc0 from 127.0.0.0/8 to any
block in log quick on dc0 from <my ip address>/32 to any
# allow my own network stuff to get out
pass out     quick on dc0 proto tcp/udp from 192.168.0.0/24 to any keep
state
pass out     quick on dc0 proto icmp    from 192.168.0.0/24 to any keep
state
pass out     quick on dc0 proto tcp/udp from <my ip address>/32 to any
keep 
state

httpd-error contents:
[Sat Oct 19 13:25:07 2001] [error] [client 131.123.8.178] Client sent 
malformed Host header

httpd-access contents:
131.123.8.178 - - [19/Oct/2001:13:25:07 -0700] "GET 
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0
078%u0000%u00=a 
HTTP/1.0" 400 341 "-" "-"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000001c159b0$95518b70$01000001>