The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking WinNt attacks on Linux Boxes

Discussion in 'General Discussion' started by Drake, Aug 6, 2002.

  1. Drake

    Drake Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    I'd like to have anyone's comments or experiences with any scenarios like this.

    Anyone who's familiar with their apache error_log will know about windowsNt attacks and how common they are. You see error for page or file not existing such as /scripts/cmd.exe and root.exe, and so on.

    I've been experimenting with bouncing those attacks back at the senders in an attempt to do 2 things. 1. reduce the overhead of my Linux box in having to handle the request, and 2. hopefully the aggressor will see their own WinNt box being attacked from &their own& localhost, and the owner will apply the necessary service packs.

    I have placed redirects in the apache config file in attempt to cause the aggressor's nt box to hammer 127.0.0.1 on itself.

    Here are some of the redirects I have been using:

    Redirect /scripts http://127.0.0.1
    Redirect /c http://127.0.0.1
    Redirect /msadc http://127.0.0.1
    Redirect /MSADC http://127.0.0.1
    Redirect /_mem_bin http://127.0.0.1
    Redirect /winnt http://127.0.0.1
    Redirect /d http://127.0.0.1
    Redirect /_vti_bin/..%5c.. http://127.0.0.1

    You just have to be sure that none of your customers have subdirectories on their sites with the same name as the ones being redirected. That is unlikely on a linux box anyhow.

    I have verified that these requests no longer show in the apache error_log. I've also verified that the aggressor actually wacks themself, by performing one of these requests from another server, and the requests show up in the other server's error_log as being requested from itself.

    So, anyone want to try this experiment too?


    drake p
    dpallister@duraserver.com
     
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Very interesting. It is actually illegal in the U.S. to &hack back& into a hackers system (Probably not their system anyway), yet your idea, in this scenario, basically causes the hacker to cause themselves the problem.

    -- Not sure if your script works, but I tip my hat to your ingenuity.
     
  3. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    This way is illegal in the U.S. and most of other countries.
    It's better to redirect them to a &Go back Hacker it's not WinNT& page and show that hacker that you know about him/her, this is legal; but if you cause a hack either your destination is a hacker or not you are involving in an illegal hack too.

    However there are some other ways.
     
  4. Drake

    Drake Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    To: itf

    Hacker Go Back !, that's a great idea, I like it. I may do something like that.

    I am sure it would catch the attention of someone who was manually hacking at the server, and also include a message that it is being logged. However, if the attacker machine is under the control of virus or trojan script, there will be nobody to see the message. The attacker may not even know have been compromised and that their machine is doing it.

    My goal is to get the owner of the attacker machine to have his attention drawn to the error logs (Hopefully he/she reads them), and sees what looks like (and is) their server hacking itself, so they immediately apply the necessary patches or service packs to the box.

    To: bmcpanel

    In reality I am not &hacking back&. I am not re-generating any kind of action. I am only &refusing to process& those specific kinds of http-get requests, and suggesting the attacker to &ask itself the same request it is asking my server&.

    In reality, any ethical webmaster or server owner would not send code at another server that he wouldn't send at his own server. So, since everyone out there is ethical, and would never send anything bad to me, I would never Initiate anything bad against anyone else.

    It is not a script I am running. It is just a series of &apache redirects&, and it &does& work, because I simulated those kinds of http requests to the server, and it immediately showed back in log of the computer i was sending it from.

    I would like to actually make an automated script that catalogs these types of requests, looks up the IP block assignee and sends an e-mail to them including a snippet from the log file which shows the system administrator / ISP that there are attacks coming from their IP block.

    I have manually looked them up upon occasion, and even telephone called the ISP / Assignee as it was happening, and only seemed to get a load of bull$h!t from the ISP.

    One such incident was from Prospeed.net. I made phone contact with their sysadmin, and it took them hours to kill the attacker's IP, but that was only after I cc:'d them on a report I e-mailed to UUnet. I blocked that IP using IPCHAINS on all boxes I manage.

    Alternative remedy, may be to &grep& those IP numbers as the attack is happening and with script, block them with IPCHAINS or ROUTE. It's too much hassle to do it manually because of how widespread and continuous these WinNt attacks are.

    It is still best practice to ahve the Linux box hardened so it just rolls of our back like water off a duck.
     
Loading...

Share This Page