I love the madness (apache log)
Results 1 to 6 of 6

Thread: I love the madness (apache log)

  1. #1
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164

    Talking I love the madness (apache log)

    As I was sorting through my logs, I noticed my disk space where apache lives to be a little bit more used. Further exploring showed my error_log to be a whomping 47 megs. Considering this is a private box with no usage to the outside, that's quite a bit. So, let's go see what's up, shall we?

    # cd /var/www/logs
    # ls -l error_log
    -rw-r--r-- 1 root root 4796632 Dec 9 13:49 error_log

    # grep 'cmd.exe' error_log | wc -l
    68897

    Now, I ask you...what's the most direct course of action against this? It's not really slowing me down but man, if it isn't annoying. If I add it to ipchains, the IP table will be HUGE for input deny so I'm not sure what else would be effective (per comparison against ipchains).
    Suggestions? Oh, it's a nice thing to see these idiot NT boxes trying against a *NIX box...they'll never take me!
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
    Share on Google+

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    Your right in one respect...it is stupid NT ppl.

    what you would see if you opened the log is identical attacks from every one of those ip address. NIMDA

    if you want to do something about it, pick and ip address or two, track it down and tell the SOB to redo his/her server and this time patch it before connecting it back to the internet. i mean the patch is free (so to speak).
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
    Share on Google+

  3. #3
    Junior Member
    Join Date
    Dec 2001
    Posts
    8
    I read something about tarpits a few days ago ... Thats a very nice thing!

    I works by accepting the Scans on non-used IP Adresses and then slowing the scans down.
    The author claims, that he can limit the scanning to a maximum of 1500 bytes per HOUR.

    If you use that on a few public Class-C nets with lots of unused IPs thats gonna slow that specific host down considerably!

    That might proove usefull here!
    ---
    If you cen\'t beat them: Have them beaten! ;-)
    Share on Google+

  4. #4
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    A friend of mine pointed me to a perl site that had it's index.html renamed to a cgi-driven script called default.ida which, if hit by an infected host, would send the shutdown of IIS and rebooting of the server...I need to find that page!
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
    Share on Google+

  5. #5
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Both the topics (Tarpits and remote shutdowns) were discussed at Slashdot.org. Run some strings through the searchengine, I bet you come up with usefull information.
    Share on Google+

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    to vorlin

    you might just find root.exe a copy of cmd.exe in /scripts
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides