The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Damn NT attacks

Discussion in 'General Discussion' started by anand, Feb 28, 2003.

  1. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    I don't know how many out there are facing this, but here is my version.

    Past so many days my apache access.log is getting filled up with something below:

    66.168.160.113 - - [28/Feb/2003:16:02:09 +0530] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 544
    66.168.160.113 - - [28/Feb/2003:16:02:09 +0530] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 190
    66.168.160.113 - - [28/Feb/2003:16:02:09 +0530] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 190
    66.168.160.113 - - [28/Feb/2003:16:02:09 +0530] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
    66.168.160.113 - - [28/Feb/2003:16:02:10 +0530] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
    66.168.160.113 - - [28/Feb/2003:16:02:10 +0530] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 190
    66.168.160.113 - - [28/Feb/2003:16:02:10 +0530] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 190

    I know this is to bother only NT systems and not linux, but the probs with most of the server load is coming because of these damn attacks.

    Anyway i can take care of them ??

    I heard something called hogwash can take care of these attacks on linux machines. But not sure it can work on with cpanel or not.

    Any help would be appreciated.

    regards,

    Anand
     
  2. NeutralGold

    NeutralGold Well-Known Member

    Joined:
    Jun 5, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Install a firewall? ;)
     
  3. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    noone with solutions ?? :(

    regards,

    Anand
     
  4. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    Actually a firewall will not stop or prevent these attacks. You see a Linux firewall just opens and closes posts along with a few special features such as packet inspections. Now the reason it wont work is because these come in on the web server port and to block them with a firewall would be also blocking web pages. :)

    Sorry but a little new over here and just saw your post. Now I know this is for Ensim but I am sure you can modify this to work with CPanel....

    http://forum.rackshack.net/showthread.php?s=&threadid=3918
     
    #4 HollyRidge, Apr 14, 2003
    Last edited: Apr 14, 2003
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    It works on cpanel servers as well.
     
  6. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Anand, I'm surprized you didn't do a search here, on something like 'cmd.exe'. If you had, you would have found a post I made earlier this month detailing not only how to get these error msgs. off your logs (and since they don't hurt us Linux users, we don't need to worry about them) and how to track them, if you want. There are some other good posts/info on this topic which you will find as well.
     
  7. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Thx hollyridge, it sure works on cpanel. But this box of mine hosts ard 700 ips and adding for each would virtually kill me.
     
  8. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Well Rob, i searched a lot in the forums, tried almost everything it suggested. Apache redirects etc. but nothing is helping here. My box has over 700 domains on it with 700 ips so u can imagine how much these nimda/code red hits my box.

    Anyways i am searching the forum for your post and solution on this matter. Would post here once i have checked up the same.
     
  9. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Rob, i searched for "cmd.exe" and other stuff but didn't come with nething new, perhaps you can point me to the right direction.

    My basic purpose is to remove the nimda/code red out of the logs and also to drop those packets as there are so many ips on the server i get too many requests and unneccessarily the bandwidth is used and apache load is increased. If i can drop these packets then apache load won't increase so much.
     
  10. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Ok, my mistake. :eek:

    Forgot the coding is a little different and the post I was referring to would not show up for 'cmd.exe' -- although I used that as an example only, in my earlier post.

    This is the post I was referring to:
    http://forums.cpanel.net/showthread.php?s=&threadid=7267&perpage=15&pagenumber=1

    As for dropping packets, that can only be done at the Router level and you would need to discuss that with your DC.
     
  11. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Well is this is solution you talking about ??

    # insert date of changes / additions for tracking purposes
    RedirectMatch Permanent ^/(.*cmd\.exe.*)$ http://potentproducts.com/virus.html
    RedirectMatch Permanent ^/(.*default\.ida.*)$ http://potentproducts.com/virus.html
    RedirectMatch Permanent ^/(.*httpodbc\.dll.*)$ http://potentproducts.com/virus.html
    RedirectMatch Permanent ^/(.*owssvr\.dll.*)$ http://potentproducts.com/virus.html
    RedirectMatch Permanent ^/(.*root\.exe.*)$ http://potentproducts.com/virus.html
    RedirectMatch Permanent ^/(.*cltreq\.asp.*)$ http://potentproducts.com/virus.html
    RedirectMatch Permanent ^/(.*sumthin\.*)$ http://potentproducts.com/virus.html
    RedirectMatch Permanent (.*)AF8 http://potentproducts.com/virus.html


    Sorry pal, but this still doesn't help me to bring my apache load down, which goes up because of these requests.

    As for the dropping of packets, i was using some iptables ruleset but it seems that they stopped working after some changes to the server. Now i am trying to track what where those changes. Otherwise the iptables was running real cool. I had posted the entire rules earlier in forums for other people as well.
     
  12. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    I guess there is just no helping you then.

    The code you posted is what I use and "suggested it" for others if they too, wanted to track these types of requests. The whole thread had some good info.

    Got a link to the post you made for your iptables strategy?
     
  13. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    I don't disagree that the post contains good info. It surely does, but doesn't help me :(

    As for the link to the post of iptables, i don't remember the same, but here is the code

    echo Starting Nimda and Code Red Protection Packet Dropping Utility
    iptables -t filter -A INPUT -i eth0+ -p tcp --dport http -m string --string "default.ida" -j DROP

    iptables -t filter -A INPUT -i eth0+ -p tcp --dport http -m string --string "root.exe?" -j DROP

    iptables -t filter -A INPUT -i eth0+ -p tcp --dport http -m string --string "cmd.exe?" -j DROP
    echo Utility Startup complete

    The above doesn't work on my machine as per now. I get the following error:

    iptables: No chain/target/match by that name

    I asked so many people to help with the above error but no was able to :(

    Hope the above makes sense to you atleast.
     
  14. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Well assuming that http://potentproducts.com/ is your site, the reason why that made your load go up is because you were redirecting those requests to a site on your own server.

    If you're going to use redirect, redirect them to microsoft.com
     
  15. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    rnh: I only quoted wat Rob had recommended. I don't redirect anything to this above site.
     
  16. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    sorry I must have missed something in the conversation then
     
  17. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    don't worry ;)
     
  18. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38

    Good idea . I prefer iptables too (instead to edit httpd.conf , especially for ip based accounts) .

    Anyone can help ?

    cPanel.net Support Ticket Number:
     
  19. HollyRidge

    HollyRidge Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Garner NC USA
    cPanel Access Level:
    Root Administrator
    andan,
    Maybe try and redirect them back to themselves instead of accessing a page on your server. Instead of using http://potentproducts.com/virus.html change it to http://127.0.0.1

    As far as the idea about using iptables to block these strings, there was something about this in netfilters (developers of iptables) mailing list sometime back about this not being that good of an idea. I cant remember the reason that was used but if I can remember correctly it had something to do with the way these type of attacks are done.

    Hmmm here is a link (I am sure is more there on this) ...
    http://lists.netfilter.org/pipermail/netfilter-devel/2003-March/010656.html

    Also I have not tried this but sounds like it might be a good idea...
    http://www.treachery.net/~jdyson/earlybird/

    cPanel.net Support Ticket Number:
     
  20. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    To correct some mis-conceptions, I am not recommending anyone to redirect anything to 'potentproducts.com' !!!

    That is my URL and any examples I may have posted were to explain how I use something for my site/server. People should always use their own URL for anything related to their own site/server.

    The example I posted, for what I do regarding Windows based Virus attacks, may not suit everyone. It is an acceptable solution for myself though and I'm quite happy with it. For certain things I like to keep track of them. I can see that on average, I get about 300 attempts per month.

    I used to use the 127.0.0.1 method -- return to sender as I called it -- for Windows Virus attempts, but it was pointed out to me, I might be leaving myself open to litigation. It maybe true, maybe not -- I don't know. But I don't want the possibility to even exist. Although it worked well, I prefer to not use any type coding that even potentially, creates the possibility of a legal back-door for someone to sue me. That's just me though. ;)

    cPanel.net Support Ticket Number:
     
Loading...
Similar Threads - Damn attacks
  1. ApparentMedia
    Replies:
    1
    Views:
    426

Share This Page