apache log entries

[MrLinus]

Originally posted here by h3r3tic
It is most likely someone from this site, as it is the only place I post a link. So these worms, is it like a tool to break in to a website or what. I guess I need to read up on them.

Not necessarily. Code Red generates propogation lists randomly. (one variation is more successful at this than the other). You might want to check out CERT's Code Red Advisory and CERT's Code Red II Advisory for more details. I've also included CERT's Nimda advisory (although if it is a worm, I'd hedge my bets more towards Code Red than nimda).

stanger is probably correct in that it is likely an IIS scanner or some other vuln scanner (nessus perhaps?). Generally, the worms have larger footprint for single packets.

While you may not be running Apache, there is reason to be concerned. Someone now knows you run something with a port that accepts http requests. Securing the box would be a good next step (although might be better as a good first step.. )

[stanger]

Originally posted here by MsMittens

(... )
While you may not be running Apache, there is reason to be concerned. Someone now knows you run something with a port that accepts http requests. Securing the box would be a good next step (although might be better as a good first step.. )

...may be it's a web server and he wants ppl to connect to??

[skiddieleet]

Out of those links the nimda definetly looks the closest to what I am getting. There are tutorials in this forum for configuring your firewall right? I'm going to go check, I tried having it on but I didn't know how to configure it to accept requests for the services I am running. I'm not too worried though, since I'm not using iis. Thanks for all the replies.

[MrLinus]

Originally posted here by stanger


...may be it's a web server and he wants ppl to connect to??

Yes but that doesn't mean he shouldn't secure it.

[stanger]

...hmmm...but how to get rid of those requests? impossible?

[MrLinus]

To get rid of those requests is done in one of two ways (IMHO):

a) if it's a worm, contact the ISP it's coming from. Get them to deal with the user that is infected and utilizing excess bandwidth

b) ensure that a firewall is up in front of the webserver and any time such a request is made, drop the packet request (that is, don't forward it to the web server). It slows connections down fractionally but it can go a long way to protecting your web server. These kinds of request are not legitimate ones. If need be have an IDS setup to communicate with the firewall and upon detection shut down connections.

This ensures legit traffic through while mitigating suspect traffic.

[skiddieleet]

I guess I'm an idiot, but how do I get my firewall to drop packets from a certain IP. Here is what I put in the /etc/syslog/iptables file:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 24.243.64.239 --dport 80 --syn -j DROP

I restarted the iptables service and it didn't work. Here is the whole thing if it helps:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 24.243.64.239 --dport 80 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.0.0.1 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT

Hope it is not bad to post that, but I want to configure it correctly and you guys are the experts. Thanks for any help.