The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Watch out for these ips!!!

Discussion in 'General Discussion' started by ozzi4648, Mar 10, 2003.

  1. ozzi4648

    ozzi4648 Guest

    Major SLAPPER WORM Scans from Indonesia and Phillipines!!

    The following ip has been pounding my server for a couple of days now all the way from glorious Indonesia.

    Apparently they are scanning my server for the SLAPPER.

    This ip, notice how it increments evertime has been doing some heavy SLAPPER scans on my servers. On all my servers actually.

    202.166.126.234 - - [09/Mar/2003:05:35:30 -0800] "-" 408 -
    202.166.126.231 - - [09/Mar/2003:05:35:30 -0800] "-" 408 -
    202.166.126.225 - - [09/Mar/2003:05:35:30 -0800] "-" 408 -
    202.166.126.226 - - [09/Mar/2003:05:35:31 -0800] "-" 408 -
    202.166.126.228 - - [09/Mar/2003:05:35:31 -0800] "-" 408 -
    202.166.126.231 - - [09/Mar/2003:05:35:31 -0800] "-" 408 -
    202.166.126.232 - - [09/Mar/2003:05:35:31 -0800] "-" 408 -
    202.166.126.227 - - [09/Mar/2003:05:35:31 -0800] "-" 408 -
    202.166.126.233 - - [09/Mar/2003:05:35:32 -0800] "-" 408 -
    202.166.126.227 - - [09/Mar/2003:05:35:32 -0800] "-" 408 -
    202.166.126.233 - - [09/Mar/2003:05:35:32 -0800] "-" 408 -
    202.166.126.225 - - [09/Mar/2003:05:35:33 -0800] "-" 408 -
    202.166.126.234 - - [09/Mar/2003:05:35:34 -0800] "-" 408 -
    202.166.126.226 - - [09/Mar/2003:05:35:34 -0800] "-" 408 -

    And look at this ip. Scanning my server every two or three minutes. I just noticed it. Its been constantly connected to port 80 since yesterday and i didnt even know it. I placed the ip in my firewall but the scans continued. Then i did a netstat -an and low and behold he was connected to port 80. I did a kill -9 pid number and down she went. Good luck my Indonesian friend.

    Now im going to scan my system to find out what their finding so interesting about this particular server. Look for the slapper using the following commands:

    find / -name '.*bugtraq'
    find / -name '.unlock*'
    find / -name '.update*'
    find / -name '.cinik*'

    WARNING: If you have alot of sites executing these commands will really bog down your server, so CAUTION!
     
    #1 ozzi4648, Mar 10, 2003
    Last edited by a moderator: Mar 11, 2003
  2. cikul

    cikul Well-Known Member

    Joined:
    Nov 15, 2002
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    how to check like you? and what they do in your server?
     
  3. ozzi4648

    ozzi4648 Guest

    Look in /usr/local/apache/logs/access_log.

    Search for 408

    :D
     
  4. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the info. I've been reading about the slapper worm. It sounds nasty.
     
  5. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    I can veiw the access log by using pico /usr/local/apache/logs/access_log

    Is there a better way?

    Also i have found some 408's on my server,

    140.112.125.69 - - [07/Mar/2003:11:09:00 +0000] "-" 408 -

    how do i see what its been up to

    Best wishes
    Ivaserver
     
  6. carpman1

    carpman1 Member

    Joined:
    Jan 25, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    tail -30 /usr/local/apache/logs/access_log

    -30 being the number of lines at end of file you wish to display, changed number to suit.


    can also use
    cat /usr/local/apache/logs/access_log
     
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Interesting little tidbit there. Did a check and noticed the same IP sequence as ozzie and one (202.107.222.141) likes to hit around 30 time a minutes. More 'stuff' to add to the junk filter.

    For those that also want to check, this is probably the easiest method:

    grep 408 /usr/local/apache/logs/access_log |cat -n |less

    Allows you to use the page down key (or spacebar) to scroll down one page at a time. My numbers came out to about 400 -- March 02 to about 1:00 AM this morning.
     
  8. hugo24

    hugo24 Well-Known Member

    Joined:
    Nov 16, 2002
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I do have the same problem here.


    the ip is 61.132.30.33, TC1-33.sz.js.cn


    Why is this happening?
     
  9. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Because you have a computer / Server connected to the Internet -- that's why. ;)

    It is a waste of time to figure out 'why' and one should focus on the 'how' -- to prevent or track. Things of this nature are par for the course when operating a Server and should be expected. Lots of people will be trying to make connections for reasons you don't know. As long as you keep a diligent eye on what people are doing with/to your Server(s), taking necessary counter-measures before, during, or after a problem is determined, that is what's important.

    Welcome to the world of SysAdmin. :D
     
  10. hugo24

    hugo24 Well-Known Member

    Joined:
    Nov 16, 2002
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I have block the IP, will that be suffice?

    Or any other better alternative?:D
     
  11. Beowulf

    Beowulf Active Member

    Joined:
    Feb 16, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    I get lines and lines of it coming from
    165.21.154.* the * meaning different endings. So how does one ban or disallow this ip?

    cPanel.net Support Ticket Number:
     
  12. jackal

    jackal Well-Known Member
    PartnerNOC

    Joined:
    Feb 23, 2002
    Messages:
    708
    Likes Received:
    0
    Trophy Points:
    16
    206.98.253.78

    cPanel.net Support Ticket Number:
     
  13. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Re: Major SLAPPER WORM Scans from Indonesia and Phillipines!!

    good topic. Sorry can you explain better this point ?

    >
    Then i did a netstat -an and low and behold he was connected to port 80.
    >


    I cannot understand in which way you was able to find that he was connected on port 80 and how you was able to find the exact pid .. please can you explain better ?

    Thank you .

    cPanel.net Support Ticket Number:
     
  14. c4host

    c4host Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Where is the best place to block these ip's??

    cPanel.net Support Ticket Number:
     
  15. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    firewall and httpd.conf (deny from) I suppose.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page