apache log entries - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: apache log entries

  1. #11
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Originally posted here by h3r3tic
    It is most likely someone from this site, as it is the only place I post a link. So these worms, is it like a tool to break in to a website or what. I guess I need to read up on them.
    Not necessarily. Code Red generates propogation lists randomly. (one variation is more successful at this than the other). You might want to check out CERT's Code Red Advisory and CERT's Code Red II Advisory for more details. I've also included CERT's Nimda advisory (although if it is a worm, I'd hedge my bets more towards Code Red than nimda).

    stanger is probably correct in that it is likely an IIS scanner or some other vuln scanner (nessus perhaps?). Generally, the worms have larger footprint for single packets.

    While you may not be running Apache, there is reason to be concerned. Someone now knows you run something with a port that accepts http requests. Securing the box would be a good next step (although might be better as a good first step.. )
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #12
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    Originally posted here by MsMittens

    (... )
    While you may not be running Apache, there is reason to be concerned. Someone now knows you run something with a port that accepts http requests. Securing the box would be a good next step (although might be better as a good first step.. )
    ...may be it's a web server and he wants ppl to connect to??

  3. #13
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Out of those links the nimda definetly looks the closest to what I am getting. There are tutorials in this forum for configuring your firewall right? I'm going to go check, I tried having it on but I didn't know how to configure it to accept requests for the services I am running. I'm not too worried though, since I'm not using iis. Thanks for all the replies.

  4. #14
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Originally posted here by stanger


    ...may be it's a web server and he wants ppl to connect to??
    Yes but that doesn't mean he shouldn't secure it.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #15
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    ...hmmm...but how to get rid of those requests? impossible?
    Industry Kills Music.

  6. #16
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    To get rid of those requests is done in one of two ways (IMHO):

    a) if it's a worm, contact the ISP it's coming from. Get them to deal with the user that is infected and utilizing excess bandwidth

    b) ensure that a firewall is up in front of the webserver and any time such a request is made, drop the packet request (that is, don't forward it to the web server). It slows connections down fractionally but it can go a long way to protecting your web server. These kinds of request are not legitimate ones. If need be have an IDS setup to communicate with the firewall and upon detection shut down connections.

    This ensures legit traffic through while mitigating suspect traffic.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #17
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I guess I'm an idiot, but how do I get my firewall to drop packets from a certain IP. Here is what I put in the /etc/syslog/iptables file:

    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 24.243.64.239 --dport 80 --syn -j DROP

    I restarted the iptables service and it didn't work. Here is the whole thing if it helps:

    # Firewall configuration written by lokkit
    # Manual customization of this file is not recommended.
    # Note: ifup-post will punch the current nameservers through the
    # firewall; such entries will *not* be listed here.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Lokkit-0-50-INPUT - [0:0]
    -A INPUT -j RH-Lokkit-0-50-INPUT
    -A FORWARD -j RH-Lokkit-0-50-INPUT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 24.243.64.239 --dport 80 --syn -j DROP
    -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.0.0.1 --sport 53 -d 0/0 -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
    -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
    COMMIT

    Hope it is not bad to post that, but I want to configure it correctly and you guys are the experts. Thanks for any help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides