Damn NT attacks

[anand]

I don't know how many out there are facing this, but here is my version.

Past so many days my apache access.log is getting filled up with something below:

66.168.160.113 - - [28/Feb/2003:16:02:09 +0530] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 544
66.168.160.113 - - [28/Feb/2003:16:02:09 +0530] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 190
66.168.160.113 - - [28/Feb/2003:16:02:09 +0530] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 190
66.168.160.113 - - [28/Feb/2003:16:02:09 +0530] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
66.168.160.113 - - [28/Feb/2003:16:02:10 +0530] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
66.168.160.113 - - [28/Feb/2003:16:02:10 +0530] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 190
66.168.160.113 - - [28/Feb/2003:16:02:10 +0530] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 190

I know this is to bother only NT systems and not linux, but the probs with most of the server load is coming because of these damn attacks.

Anyway i can take care of them ??

I heard something called hogwash can take care of these attacks on linux machines. But not sure it can work on with cpanel or not.

Any help would be appreciated.

regards,

Anand

[NeutralGold]

Install a firewall?

[anand]

noone with solutions ??

regards,

Anand

[HollyRidge]

Actually a firewall will not stop or prevent these attacks. You see a Linux firewall just opens and closes posts along with a few special features such as packet inspections. Now the reason it wont work is because these come in on the web server port and to block them with a firewall would be also blocking web pages.

Sorry but a little new over here and just saw your post. Now I know this is for Ensim but I am sure you can modify this to work with CPanel....

http://forum.rackshack.net/showthrea...&threadid=3918

[dgbaker]

It works on cpanel servers as well.

[Website Rob]

Anand, I'm surprized you didn't do a search here, on something like 'cmd.exe'. If you had, you would have found a post I made earlier this month detailing not only how to get these error msgs. off your logs (and since they don't hurt us Linux users, we don't need to worry about them) and how to track them, if you want. There are some other good posts/info on this topic which you will find as well.

[anand]

Originally posted by HollyRidge
Actually a firewall will not stop or prevent these attacks. You see a Linux firewall just opens and closes posts along with a few special features such as packet inspections. Now the reason it wont work is because these come in on the web server port and to block them with a firewall would be also blocking web pages.

Sorry but a little new over here and just saw your post. Now I know this is for Ensim but I am sure you can modify this to work with CPanel....

http://forum.rackshack.net/showthrea...&threadid=3918

Thx hollyridge, it sure works on cpanel. But this box of mine hosts ard 700 ips and adding for each would virtually kill me.

[anand]

Originally posted by Website Rob
Anand, I'm surprized you didn't do a search here, on something like 'cmd.exe'. If you had, you would have found a post I made earlier this month detailing not only how to get these error msgs. off your logs (and since they don't hurt us Linux users, we don't need to worry about them) and how to track them, if you want. There are some other good posts/info on this topic which you will find as well.

Well Rob, i searched a lot in the forums, tried almost everything it suggested. Apache redirects etc. but nothing is helping here. My box has over 700 domains on it with 700 ips so u can imagine how much these nimda/code red hits my box.

Anyways i am searching the forum for your post and solution on this matter. Would post here once i have checked up the same.

[anand]

Rob, i searched for "cmd.exe" and other stuff but didn't come with nething new, perhaps you can point me to the right direction.

My basic purpose is to remove the nimda/code red out of the logs and also to drop those packets as there are so many ips on the server i get too many requests and unneccessarily the bandwidth is used and apache load is increased. If i can drop these packets then apache load won't increase so much.

[Website Rob]

Ok, my mistake.

Forgot the coding is a little different and the post I was referring to would not show up for 'cmd.exe' -- although I used that as an example only, in my earlier post.

This is the post I was referring to:
http://forums.cpanel.net/showthread....5&pagenumber=1

As for dropping packets, that can only be done at the Router level and you would need to discuss that with your DC.

[anand]

Originally posted by Website Rob
Ok, my mistake.

Forgot the coding is a little different and the post I was referring to would not show up for 'cmd.exe' -- although I used that as an example only, in my earlier post.

This is the post I was referring to:
http://forums.cpanel.net/showthread....5&pagenumber=1

As for dropping packets, that can only be done at the Router level and you would need to discuss that with your DC.

Well is this is solution you talking about ??

# insert date of changes / additions for tracking purposes
RedirectMatch Permanent ^/(.*cmd\.exe.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*default\.ida.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*httpodbc\.dll.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*owssvr\.dll.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*root\.exe.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*cltreq\.asp.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*sumthin\.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent (.*)AF8 http://potentproducts.com/virus.html


Sorry pal, but this still doesn't help me to bring my apache load down, which goes up because of these requests.

As for the dropping of packets, i was using some iptables ruleset but it seems that they stopped working after some changes to the server. Now i am trying to track what where those changes. Otherwise the iptables was running real cool. I had posted the entire rules earlier in forums for other people as well.

[Website Rob]

I guess there is just no helping you then.

The code you posted is what I use and "suggested it" for others if they too, wanted to track these types of requests. The whole thread had some good info.

Got a link to the post you made for your iptables strategy?

[anand]

Originally posted by Website Rob
I guess there is just no helping you then.

The code you posted is what I use and "suggested it" for others if they too, wanted to track these types of requests. The whole thread had some good info.

Got a link to the post you made for your iptables strategy?

I don't disagree that the post contains good info. It surely does, but doesn't help me

As for the link to the post of iptables, i don't remember the same, but here is the code

echo Starting Nimda and Code Red Protection Packet Dropping Utility
iptables -t filter -A INPUT -i eth0+ -p tcp --dport http -m string --string "default.ida" -j DROP

iptables -t filter -A INPUT -i eth0+ -p tcp --dport http -m string --string "root.exe?" -j DROP

iptables -t filter -A INPUT -i eth0+ -p tcp --dport http -m string --string "cmd.exe?" -j DROP
echo Utility Startup complete

The above doesn't work on my machine as per now. I get the following error:

iptables: No chain/target/match by that name

I asked so many people to help with the above error but no was able to

Hope the above makes sense to you atleast.

[rnh]

Originally posted by anand
Sorry pal, but this still doesn't help me to bring my apache load down, which goes up because of these requests.

Well assuming that http://potentproducts.com/ is your site, the reason why that made your load go up is because you were redirecting those requests to a site on your own server.

If you're going to use redirect, redirect them to microsoft.com

[anand]

Originally posted by rnh
Well assuming that http://potentproducts.com/ is your site, the reason why that made your load go up is because you were redirecting those requests to a site on your own server.

If you're going to use redirect, redirect them to microsoft.com

rnh: I only quoted wat Rob had recommended. I don't redirect anything to this above site.