Re: suspicious apache log entries
There may be some circumstances in which counter-cracking is necessary. One case I know of, a kiddie got annoyed with a woman friend of mine and harrassed her continuously. She couldn't connect anywhere without one of his trojans tracking her activity and trashing her accounts. She got a friend, a fellow who was The Admin for a very large American university system to do something about it. He cracked back through the kids' cutouts, finally caught him logging in on a dialup... And formatted his disk. She never got hassled by him again. Sometimes an Admin's gotta do what an Admin's gotta do. -- -- Nuke bin Laden: Dale Amon, CEO/MD improve the global Islandone Society gene pool. www.islandone.org --
Re: suspicious apache log entries
- Original Message - From: Geoff Crompton [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Friday, September 13, 2002 1:42 AM Subject: Re: suspicious apache log entries I can see that sending an email is an approriate legal, and responsible course of action. However to make his servers beep, you still need to perform an illegal act of cracking into his box. Regardless of what you intend to do when you get in there, it is still unauthorized access to the computer. If it is legal to crack a box for 'good' reasons, what do you think the real crackers will say there were doing if they get caught? Ok, we had some posts saying that getting into someone's box and making some noise to get the admins attention is comparable with walking in someone house, sitting on the owners sofa and waiting / leaving a note on the wall to tell him someone broke in - both is illegal unauthorized access. Now that the owner is on holiday, his house is burning and my house is next to him I should call the fire brigade to at least protect my own house and the police - as I've seen someone who put the house on fire. Writing emails to them did work up to now and the owner is still not reachable too. The police is not interested - because there is a border between my house and the burning one. I should try to contact the police over there. Right, its a bit stupid to use such comparison - but its somehow fun too. The person on holiday is just called standard M$-certified admin. Unless we could popularise running a 'alert-me-if-my-box-is-screwy' daemon, which when it receives a message it beeps, displays a message, and keeps beeping until an operator acks the message. Even ISPs do not really care about beeping boxed. When I carried my first holy 4U-server to my ISP last year, I was really shocked. Tons of beeping RAID-cards / power-supplies. They never would hear mine. And its really not a small ISP (I guess the smaller ones would be able to act properly). IMO the only proper solution would be to notify the person mentioned in the RIPE-handle / Domain-handle and hope that someone is going to react. Everything else is playing fire- policeman. Or some kind of self protection. Cheers Geoff best regards Andreas
Re: suspicious apache log entries
* Andreas Syka [EMAIL PROTECTED] [020913 11:19]: - Original Message - From: Geoff Crompton [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Friday, September 13, 2002 1:42 AM Subject: Re: suspicious apache log entries I can see that sending an email is an approriate legal, and responsible course of action. However to make his servers beep, you still need to perform an illegal act of cracking into his box. Regardless of what you intend to do when you get in there, it is still unauthorized access to the computer. If it is legal to crack a box for 'good' reasons, what do you think the real crackers will say there were doing if they get caught? Ok, we had some posts saying that getting into someone's box and making some noise to get the admins attention is comparable with walking in someone house, sitting on the owners sofa and waiting / leaving a note on the wall to tell him someone broke in - both is illegal unauthorized access. Now that the owner is on holiday, his house is burning and my house is next to him I should call the fire brigade to at least protect my own house and the police - as I've seen someone who put the house on fire. Writing emails to them did work up to now and the owner is still not reachable too. The police is not interested - because there is a border between my house and the burning one. I should try to contact the police over there. Right, its a bit stupid to use such comparison - but its somehow fun too. The person on holiday is just called standard M$-certified admin. Unless we could popularise running a 'alert-me-if-my-box-is-screwy' daemon, which when it receives a message it beeps, displays a message, and keeps beeping until an operator acks the message. Even ISPs do not really care about beeping boxed. When I carried my first holy 4U-server to my ISP last year, I was really shocked. Tons of beeping RAID-cards / power-supplies. They never would hear mine. And its really not a small ISP (I guess the smaller ones would be able to act properly). IMO the only proper solution would be to notify the person mentioned in the RIPE-handle / Domain-handle and hope that someone is going to react. Everything else is playing fire- policeman. Or some kind of self protection. Cheers Geoff best regards Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: suspicious apache log entries
What seems to be missed in this thread is the fact that Nimda is not limited to running on servers. Of all the machines that have used Nimda style probing against my IP address in the last week, not one has been a server. None of the machines respond to port 80. None of these machines have DNS or WHOIS records other than for the ISP who owns the IP block. Perhaps things are different in other IP blocks. But in the block my machines are in, it appears that the infected machines are most likely desktops without virus protection. I find it unfathomable that significant numbers of servers currently exist which have not already been patched by now. The patch has been available for over 2 years now. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/ms00-057.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/ms00-078.asp If we accept that the vast majority of machines which are currently infected with Nimda are desktop machines without Web servers we are left with a few questions: 1. How would one break in? Using the same exploit as Nimda would most likely involve sending the owner an e-mail. This is problematic because the e-mail address is not known. If the e-mail address were known, we could just send the owner an e-mail. (Although the owner is probably already overwhelmed with bounces and what not because their machine is infected with Nimda...) 2. Who should the compromise be reported to? It is unlikely that any of these machines have SMTP servers running so the direct approach will fail. There are no WHOIS/DNS records for the compromised machines, only the ISPs. It is likely that many compromised hosts do not even have static IP addresses requiring the ISP to look through logs to determine who had a given IP address at a given time. -Original Message- From: Andreas Syka [mailto:[EMAIL PROTECTED] Sent: Friday, September 13, 2002 2:20 AM To: debian-security@lists.debian.org Subject: Re: suspicious apache log entries - Original Message - From: Geoff Crompton [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Friday, September 13, 2002 1:42 AM Subject: Re: suspicious apache log entries I can see that sending an email is an approriate legal, and responsible course of action. However to make his servers beep, you still need to perform an illegal act of cracking into his box. Regardless of what you intend to do when you get in there, it is still unauthorized access to the computer. If it is legal to crack a box for 'good' reasons, what do you think the real crackers will say there were doing if they get caught? Ok, we had some posts saying that getting into someone's box and making some noise to get the admins attention is comparable with walking in someone house, sitting on the owners sofa and waiting / leaving a note on the wall to tell him someone broke in - both is illegal unauthorized access. Now that the owner is on holiday, his house is burning and my house is next to him I should call the fire brigade to at least protect my own house and the police - as I've seen someone who put the house on fire. Writing emails to them did work up to now and the owner is still not reachable too. The police is not interested - because there is a border between my house and the burning one. I should try to contact the police over there. Right, its a bit stupid to use such comparison - but its somehow fun too. The person on holiday is just called standard M$-certified admin. Unless we could popularise running a 'alert-me-if-my-box-is-screwy' daemon, which when it receives a message it beeps, displays a message, and keeps beeping until an operator acks the message. Even ISPs do not really care about beeping boxed. When I carried my first holy 4U-server to my ISP last year, I was really shocked. Tons of beeping RAID-cards / power-supplies. They never would hear mine. And its really not a small ISP (I guess the smaller ones would be able to act properly). IMO the only proper solution would be to notify the person mentioned in the RIPE-handle / Domain-handle and hope that someone is going to react. Everything else is playing fire- policeman. Or some kind of self protection. Cheers Geoff best regards Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious apache log entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Something that would be totally legal would be to send an email to the [EMAIL PROTECTED], in the hope, that they have such an email address. Of course one has to pay attention, that this email address does not get flooded, when thousands of the call-attention-to-your-infected-nimda-machine-script would answer the attempted nimda attack in such a way. This would mean, a kind of central database, where those infected machines would get registered. A step further would be to ask the webmaster to reply to this email. If he does not within a given timeframe, one could try to let his server's speakers beep or whatever-not-to-harmful-option there is. I think after sending emails and trying to reach the responsable person (after the RFC there has to be such an email address), the second step would be legally okay in most countries. Marcel Am Donnerstag den, 12. September 2002, um 05:24, schrieb Peter Cordes: On Tue, Sep 10, 2002 at 10:00:13AM -0700, Vineet Kumar wrote: I understand that the tools exist, but I'd be very cautious before donning your white hat and becoming the next Internet vigilante. Of course the admin of the site may be grateful for your pointing out that something is wrong, but more likely they'll blame you for any damage they find (no matter how they were originally infected) and be very angry about any change you make to their site. Remember, if they had a clue, they'd already know and be working on fixing the problem (or never have been running IIS in the first place). Nobody said anything about changing the web site, or anything on their hard drive. The suggestion was to pop up a window on the desktop. (This makes sense because I suppose even servers that are running an MS OS usually have a desktop that someone will look at when something goes wrong.) Taking down the TCP stack is of questionable legality, and it would be nice if there was an easier way to call attention to the machine. Maybe beeping the PC speaker in morse code for S.O.S. would work. (Do rackmount servers have a PC speaker?) Some people disable the PC speaker, but if they have a sound card, you could use that. (Then you could say make their computer say I'm infected, help me...) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] - --- PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE9gEDH1EXMUTKVE5URAtlVAJ4mTPLOHmi5ep/LBSKgYiVjxpMuhQCgyUqi YDX1kSqe4Y33vsXRIgXHVb8= =R2gR -END PGP SIGNATURE-
Re: suspicious apache log entries
On Thu, 12 Sep 2002 at 12:24:47AM -0300, Peter Cordes wrote: Taking down the TCP stack is of questionable legality, and it would be nice if there was an easier way to call attention to the machine. Maybe beeping the PC speaker in morse code for S.O.S. would work. (Do rackmount servers have a PC speaker?) Some people disable the PC speaker, but if they have a sound card, you could use that. (Then you could say make their computer say I'm infected, help me...) If the machine is running exchange you could always email the admin? Someone mentioned in a prior post they would blame you. Oh well, let them blame me, in court if they wish. I will merely point out how their box was attempting to attack mine due to their negligence. What we then have is called a Stand Off. Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: suspicious apache log entries
On Thu, Sep 12, 2002 at 09:22:43AM +0200, Marcel Weber wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Something that would be totally legal would be to send an email to the [EMAIL PROTECTED], in the hope, that they have such an email address. Of course one has to pay attention, that this email address does not get flooded, when thousands of the call-attention-to-your-infected-nimda-machine-script would answer the attempted nimda attack in such a way. This would mean, a kind of central database, where those infected machines would get registered. A step further would be to ask the webmaster to reply to this email. If he does not within a given timeframe, one could try to let his server's speakers beep or whatever-not-to-harmful-option there is. I think after sending emails and trying to reach the responsable person (after the RFC there has to be such an email address), the second step would be legally okay in most countries. Marcel I can see that sending an email is an approriate legal, and responsible course of action. However to make his servers beep, you still need to perform an illegal act of cracking into his box. Regardless of what you intend to do when you get in there, it is still unauthorized access to the computer. If it is legal to crack a box for 'good' reasons, what do you think the real crackers will say there were doing if they get caught? Unless we could popularise running a 'alert-me-if-my-box-is-screwy' daemon, which when it receives a message it beeps, displays a message, and keeps beeping until an operator acks the message. Of course, this would probably just become another vehicle for spam. (Unless there was some sort of hashcash thing used that I read about on ./) Cheers Geoff
Re: suspicious apache log entries
On Fri, Sep 13, 2002 at 09:42:26AM +1000, Geoff Crompton wrote: I can see that sending an email is an approriate legal, and responsible course of action. However to make his servers beep, you still need to perform an illegal act of cracking into his box. Regardless of what you intend to do when you get in there, it is still unauthorized access to the computer. If it is legal to crack a box for 'good' reasons, what do you think the real crackers will say there were doing if they get caught? Nobody's catching real crackers. As long as the Internet remains like the wild west, following good moral, even if you are technically in violation of the law, is ok. Let me explain why I think this is morally OK: Cracking a machine in the first place is a Bad Thing. Once the admin finds out about it, they basically have no choice but to re-install everything from trusted sources. However, if a box has already been cracked, further crackings don't increase the work of re-installing, or anything (assuming the further crackings don't delete or damage other files). Thus, I don't see exploiting an already-cracked box to try to get someone to patch it, as long as you don't actually do any damage. It's possible that you might mistakenly think a box was Nimdaing you when it wasn't actually cracked. It's not important what makes you think that: The point is that if you exploit the standard hole that Nimda exploits, but the machine had never actually been cracked, you are the first one to crack the machine, and cause a headache for the admin. But if the machine was vulnerable to the Nimda exploit, and had been in this state for a while, the admin should not trust the machine anyway. It's probably already been cracked. Since cracking a machine without doing any damage or copying any information just makes the admin worry, and the chance of actually causing harm with this is extremely low (since you would have to mistakenly apply this alert-of-cracking tool to a machine that had just been set up (otherwise it would already be untrustworthy)). Given the very small harm of mistakenly applying this, combined with the very small probability of mistakenly applying it, the total harm done is small enough that it is acceptable in comparison with the benefits. Besides, if the machine was vulnerable to the exploit, it would be infected with a worm in the near future anyway, so warning the admin and doing no harm is not very bad. (It is important to remember that the harm is only wasted admin time. Nobody will be killed or permanently injured or anything seriously bad. Even small amounts of some kinds of harm should not be acceptable as side effects, but this is not one of those kinds of harm.) Another important part of this is that you would only get into the machine using the same exploit that the worm used in the first place. (Most IIS worms don't patch the hole they used, do they?) I think trying other exploits is a lot less morally acceptable, especially because if you use newer ones that aren't flooded by worms. If you used uncommon attacks, my argument that mistakenly applying it to an uncracked machine was not too bad wouldn't apply. (The machine probably wasn't already cracked, and isn't guaranteed to be cracked by a worm in the near future.) If you were going to respond to probes from worms by using different exploits, you would have to be very certain that the machine was actually infected. If people pooled information on which machines were attacking them, you could see if a machine was making lots of attacks, which would indicate a worm (or maybe a cracker using the machine to launch attacks, in which case alerting the admin is good too). That's another thing: what about attacks that look the same as those used by a worm, but are due to people trying to crack boxes. (They'd have to be pretty dumb to try it against a web server whose server string said it was non-IIS running on a non-MS OS, since it's safe to assume that people who would change the server header would also keep up with security updates.) If the attacks are coming from the crackers own computer, mailing them about their cracked machine won't do much good. If a cracker is using someone else's computer to make attacks, warning the admins of the machine is a Good Thing. (Smart crackers usually secure the machine against holes they exploited, at least on Unix, though.) I don't think that anything in this paragraph is a reason not to crack boxes that attack you and warn their owners. Unless we could popularise running a 'alert-me-if-my-box-is-screwy' daemon [...] A standard way of finding the webmaster's email addr would serve the same purpose. Probably would collect a lot of spam, though. Maybe if you only accepted mails that mentioned a URL that you have responsibility for, that would help. That way, spammers would have to go to more trouble than they want to bother with to mention the right URL in
Re: suspicious apache log entries
Ok. So it is good to warn owners of cracked boxes. Does that mean it is good for me to walk into a house that has been robbed, and write a note to the owner that it has been robbed? In this case the analogy doesn't work so well, as the owner is more likely going to notice that the place was done over. But in both cases (robbed house, cracked box) my actions to try and warn the owner were cases of illegal trespass. Contacting the owner in a non-illegal manner still seems more appropriate. If you are willing to go the trouble of exploiting a nimda hole, when it shouldn't be too much extra work to look at the web pages of the machine, and try and track down a used email address or something. I think you are opening yourself to unwarranted liability by secondary cases of cracking. The admin (or house owner) will see evidence of your activity, and there is nothing stopping them leaping to the conclusion that you were responsible for the initial attack. On the flip side, if it became an accepted practice, crackers could exploit a tactic of secondary exploitation and putting up warning messages after they have finished using the box. Besides, the admin shouldn't only re-install from trusted media. He/She should do some sort of analysis as to the nature of the attack, what was exploited, what further computers were exposed, and possibly feed this information on to either an appropriate law enforcement or organizations like AusCert so they know what sort of attacks are going on. Secondary attacks do lead to more work in these areas. What you are saying does sound sort of reasonable. But it sounds like it would be easy to take it too far in vigilante type of way. The line gets very thin between * make the computer beep and display a warning message * make the sound card play music and display a w4rn1n6 message * make the sound card play a voice over saying how stupid the owner is * makeing sure you delete all their files, so that potential real crackers can't steal them Each of these actions are supposedly for the benefit of the owner. But you don't know if they are really going to appreciate them. Cheers Geoff On Thu, Sep 12, 2002 at 11:14:37PM -0300, Peter Cordes wrote: snipped, to help prevent the extinction of those electronic trees
Re: suspicious apache log entries
On Tue, Sep 10, 2002 at 10:00:13AM -0700, Vineet Kumar wrote: I understand that the tools exist, but I'd be very cautious before donning your white hat and becoming the next Internet vigilante. Of course the admin of the site may be grateful for your pointing out that something is wrong, but more likely they'll blame you for any damage they find (no matter how they were originally infected) and be very angry about any change you make to their site. Remember, if they had a clue, they'd already know and be working on fixing the problem (or never have been running IIS in the first place). Nobody said anything about changing the web site, or anything on their hard drive. The suggestion was to pop up a window on the desktop. (This makes sense because I suppose even servers that are running an MS OS usually have a desktop that someone will look at when something goes wrong.) Taking down the TCP stack is of questionable legality, and it would be nice if there was an easier way to call attention to the machine. Maybe beeping the PC speaker in morse code for S.O.S. would work. (Do rackmount servers have a PC speaker?) Some people disable the PC speaker, but if they have a sound card, you could use that. (Then you could say make their computer say I'm infected, help me...) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC
suspicious apache log entries
Hi all. While digging through the error.log of my apache I found two lines that seem to hint toward a new (?) worm. I saw the first one some days ago, too: [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed: erroneous characters after protocol string: CONNECT mailb.microsoft.com:25 / HTTP/1.0 Looks like there is someone trying to abuse a proxy to connect to a SMTP server? The second is a new one (which means I never saw it before). It appears several times in the log, below I quoted the first appearance: [Sat Sep 7 05:33:20 2002] [error] [client 202.224.228.106] Client sent malformed Host header Any idea what type of attack these lines give a hint about? I think Apache is safe here, this most probably would be an attack against IIS or something like that. But I would like to learn a little more about those ones... Bye, Mike
Re: suspicious apache log entries
Sounds like Code Red. We get a lot of these too, and the Microsoft attacks don't do much to an Apache server :) -Anne This one time, Michael Renzmann wrote: Hi all. While digging through the error.log of my apache I found two lines that seem to hint toward a new (?) worm. I saw the first one some days ago, too: [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed: erroneous characters after protocol string: CONNECT mailb.microsoft.com:25 / HTTP/1.0 Looks like there is someone trying to abuse a proxy to connect to a SMTP server? The second is a new one (which means I never saw it before). It appears several times in the log, below I quoted the first appearance: [Sat Sep 7 05:33:20 2002] [error] [client 202.224.228.106] Client sent malformed Host header Any idea what type of attack these lines give a hint about? I think Apache is safe here, this most probably would be an attack against IIS or something like that. But I would like to learn a little more about those ones... Bye, Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpUhoNg6mwDf.pgp Description: PGP signature
Re: suspicious apache log entries
Hi Anne. Anne Carasik wrote: Sounds like Code Red. We get a lot of these too, and the Microsoft attacks don't do much to an Apache server :) Ok, thanks for the info. I guess I didn't saw this one by now because Code Red seems to die more and more, right? :) Bye, Mike
Re: suspicious apache log entries
Hello Debians, - Original Message - From: Michael Renzmann [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Tuesday, September 10, 2002 8:35 AM Subject: suspicious apache log entries [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed: erroneous characters after protocol string: CONNECT mailb.microsoft.com:25 / HTTP/1.0 I've seen tons of ../script/ and ../cmd.exe's as I've got several machines with fixed ips. ## klopm:/# cat logs/access_log | grep cmd.exe| wc -l 15384 ## starting at 07/Feb/2002 at only one IP. And this machine has got 33IPs. But this request you mentioned was new to me too - seems like I've missed something at bugtraq/vulnwatch etc..;-) here it appears the first time: ## 67.81.183.168 - - [30/May/2002:16:24:20 +] CONNECT mx1.mail.yahoo.com:25 / HTTP/1.0 405 231 - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) ## on only one ip - in end of May. The next request comes in 2 weeks later: ## 216.53.218.199 - - [15/Jul/2002:01:23:06 +0200] CONNECT mxs.mail.ru:25 HTTP/1.0 404 194 - - ## without useragent! some aSSk!cKiNG VB-script I guess. now it seems to start. yesterday I got 39 request the first time. seems to be new... As they want to connect to some mail server, I guess this are spammers looking for new ways to spread their impotent news. Thats why there are not so much requests because kids cant find any my files - I guess. Has anyone seen some Anti-Nimda/Code Red beside http://www.eye-net.com.au/csmall/myscripts/nimda.html ? I'd like to send out some abuse-mails to RIPE or the ISP in addition to the webmaster, as I belive most of the attacks are done by kids instead of infected servers. This one is a bit more complicated as one needs the whois for the IP and I dont have the time to work on this for myself Over 15000 request on one IP *33 at about 240 byte make round about 100MB traffic and over 60MB logfile for nothing thanks and best regards, Andreas
Re: suspicious apache log entries
Hi Andreas. Andreas Syksa wrote: I've seen tons of ../script/ and ../cmd.exe's as I've got several machines with fixed ips. I also received quite a lot of those requests, although our server is not official by now, has no domain name (besides an work-around solution using dyndns during the time we still work on the server setup). I already told about that one or two weeks ago here on the list. Has anyone seen some Anti-Nimda/Code Red beside http://www.eye-net.com.au/csmall/myscripts/nimda.html ? I wrote a small php-script for tarpitting Nimda and Co., but as I told here this was not very successful. It seems meanwhile there are lots of variants of Nimda out there who don't care about endless connections - they quit a connection after a timeout of less than 15 seconds. Phillip Hofmeister stated that one could use the Nimda backdoor on the server that connects our server to setup a warning message on the attacking computer's desktop. I think this is a great idea, but I have not been able to track down what would be necessary to write code for doing so. Anyone on this list interested in teaming up on writing such an script? Bye, Mike
Re: suspicious apache log entries
* Michael Renzmann ([EMAIL PROTECTED]) [020910 02:55]: Phillip Hofmeister stated that one could use the Nimda backdoor on the server that connects our server to setup a warning message on the attacking computer's desktop. I think this is a great idea, but I have not been able to track down what would be necessary to write code for doing so. Anyone on this list interested in teaming up on writing such an script? If you do, be prepared to go to jail... good times, Vineet -- http://www.doorstop.net/ -- Computer Science is no more about computers than astronomy is about telescopes. -- E.W. Dijkstra pgpCKy4sDa66M.pgp Description: PGP signature
Re: suspicious apache log entries
Hi. Vineet Kumar wrote: Phillip Hofmeister stated that one could use the Nimda backdoor on the server that connects our server to setup a warning message on the attacking computer's desktop. If you do, be prepared to go to jail... For what reason? For telling stupid webserver administrators about a security problem they have? Well, while thinking about it, you may be right. There have been several incidents in the US where someone pointed out security problems and got sued because of that a few days/weeks later. Bye, Mike
Re: suspicious apache log entries
* Michael Renzmann ([EMAIL PROTECTED]) [020910 03:12]: Hi. Vineet Kumar wrote: Phillip Hofmeister stated that one could use the Nimda backdoor on the server that connects our server to setup a warning message on the attacking computer's desktop. If you do, be prepared to go to jail... For what reason? For telling stupid webserver administrators about a security problem they have? As the law is concerned, this is like telling people they've left their front door unlocked by inviting yourself in and taking a dump on their couch. It's not yours, and you have no right to enter, let alone change (deface) the site, no matter how easy it is, or how much good you think you might be accomplishing. Well, while thinking about it, you may be right. There have been several incidents in the US where someone pointed out security problems and got sued because of that a few days/weeks later. This is even less of an issue of demonstrating or discussing a weakness, the discussion was about exploiting one. I think it's obvious that this is not okay, in any circumstances. good times, Vineet -- http://www.doorstop.net/ -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin pgpm2yZtLuzK0.pgp Description: PGP signature
AW: suspicious apache log entries
Hi Phillip Hofmeister is right. This tool exists. We used this at our companies network (a bigger one, some 100'000 users ;-). All those Frontpage or I don't know what the hell they're using users with iis and nimda on it, were difficult to track down. Of course we tried to warn them before implementing this tool, but some were on holidays, others did not have the time to fix it, others had dynamical IP addresses and so on. So a little program called Silver bullet got developed. I think it run even on Linux. When a backdoored server tried to contact the silver bullet server, it got shot down by this script using nimda's backdoor. I window popped up on the attacking machine and it's ip stack went down... It was really amazing how fast all those server and workstations got patched and finally there was peace again on the networks... Well, but you're right: This is a beautyful tool on a companies network. But if used on the internet, there could be legal issues. Why not introduce an official Internet Security Team that officially has the right to do such things. It would be for the good of the net! They could be a part of the ICANN or UNO or whoever. Marcel PGP / GPG Key:http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc -Ursprungliche Nachricht- Von: Vineet Kumar [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 10. September 2002 12:58 An: debian-security@lists.debian.org Betreff: Re: suspicious apache log entries * Michael Renzmann ([EMAIL PROTECTED]) [020910 02:55]: Phillip Hofmeister stated that one could use the Nimda backdoor on the server that connects our server to setup a warning message on the attacking computer's desktop. I think this is a great idea, but I have not been able to track down what would be necessary to write code for doing so. Anyone on this list interested in teaming up on writing such an script? If you do, be prepared to go to jail... good times, Vineet -- http://www.doorstop.net/ -- Computer Science is no more about computers than astronomy is about telescopes. -- E.W. Dijkstra
Re: suspicious apache log entries
On Tue 10 Sep Marcel Weber wrote: So a little program called Silver bullet got developed. I think it run even on Linux. When a backdoored server tried to contact the silver bullet server, it got shot down by this script using nimda's backdoor. I window popped up on the attacking machine and it's ip stack went down... It was really amazing how fast all those server and workstations got patched and finally there was peace again on the networks... This is probably wandering further and further OT, however I saw a posting on bugtraq way back when all this started that suggested an interesting tactic. It claimed that the HTTP libraries used by Nimda and Code Red were generic, and could be fooled by sending a redirect response like: Location: http://127.0.0.1/ They would then attempt to root themselves repeatedly, causing the whole machine to eventually crash. I expect behaviour would be different in the various strains of the worms though. Obviously you can send any HTTP header you like legally. Also, I guess people would be quicker to fix their computers if they kept breaking. I never tested this myself, but it sounds plausible. doug. -- key 1024D/6973E2CF print | Tomorrow will be cancelled due to lack of 2C95 66AD 1596 37D2 41FC | interest. 609F 76C0 A4EC 6973 E2CF | http://www.antisigma.com |
Re: suspicious apache log entries
[Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed: erroneous characters after protocol string: CONNECT mailb.microsoft.com:25 / HTTP/1.0 open proxy probe, standard Internet crapola, http://www.monkeys.com/security/proxies/
Re: suspicious apache log entries
Jamie Heilman wrote: [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed: erroneous characters after protocol string: CONNECT mailb.microsoft.com:25 / HTTP/1.0 open proxy probe, standard Internet crapola, http://www.monkeys.com/security/proxies/ Hmm, ok it appears all the links off that page are 404s, guess I should have checked that before I replied, anyway, I think you're guess was right, just somebody trying to abuse a hole in a weak proxy. -- Jamie Heilman http://audible.transient.net/~jamie/ You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid. -Buddy
Re: suspicious apache log entries
On Tue, Sep 10, 2002 at 03:28:42AM -0700, Vineet Kumar wrote: * Michael Renzmann ([EMAIL PROTECTED]) [020910 03:12]: Hi. Vineet Kumar wrote: Phillip Hofmeister stated that one could use the Nimda backdoor on the server that connects our server to setup a warning message on the attacking computer's desktop. If you do, be prepared to go to jail... For what reason? For telling stupid webserver administrators about a security problem they have? As the law is concerned, this is like telling people they've left their front door unlocked by inviting yourself in and taking a dump on their couch. It's not yours, and you have no right to enter, let alone change (deface) the site, no matter how easy it is, or how much good you think you might be accomplishing. Wrong analogy. Imagine instead a car that is always unlocked and is used nightly by hooligans when they go joy-riding. The warning message + lockup technique is more like leaving a note behind the wind-shield of the car and locking its doors. In the real world, such behavior might be called being a concerned citizen. -- Erik Rossen ^OpenPGP key: 2935D0B9 [EMAIL PROTECTED] /e\ Use GnuPG, see the http://people.linux-gull.ch/rossen ---black helicopters.
Re: AW: suspicious apache log entries
Hi Marcel. Marcel Weber wrote: Why not introduce an official Internet Security Team that officially has the right to do such things. It would be for the good of the net! They could be a part of the ICANN or UNO or whoever. I don't think this would be successful. It's a great idea, no doubt about it. But the problems will begin as soon as you had to get legal approve by every possible country that is connected to the Internet. There are still countries in the world where it is not a crime to get inside a computer and steal data. I guess chances are low that such countries would even care about giving legal approvements to such a security team. Just my 0.02$ (maybe, most hopefully I'll be wrong with that - it would be a great step forward to have a team like this in my opinion) Bye, Mike
Re: suspicious apache log entries
Hi. Doug Winter wrote: It claimed that the HTTP libraries used by Nimda and Code Red were generic, and could be fooled by sending a redirect response like: Location: http://127.0.0.1/ Nice idea. Would it be enough to redirect them to the localhost-ip, or should the URI of the original request be appended to the redirection? Bye, Mike
Re: suspicious apache log entries
Hello! I have done a script against nimda and other undesiderable access to my server, http://ainulindale.homeunix.org/~carlos/scripts/cortafuegos/ Whath do you think about that? best regards: Carlos Has anyone seen some Anti-Nimda/Code Red beside http://www.eye-net.com.au/csmall/myscripts/nimda.html ? I'd like to send out some abuse-mails to RIPE or the ISP in addition to the webmaster, pgpEoRnFCBPCr.pgp Description: PGP signature
Re: suspicious apache log entries
* Quoting Erik Rossen ([EMAIL PROTECTED]): Imagine instead a car that is always unlocked and is used nightly by hooligans when they go joy-riding. That's why leaving a car unlocked is illegal in Germany. On the other hand, you still need the key to start it and a hooligan wouldn't mind braking the window, anyway. The warning message + lockup technique is more like leaving a note behind the wind-shield of the car and locking its doors. In the real world, such behavior might be called being a concerned citizen. The 'silver bullet' as described above is taking down TCP-Stack, bringing down the whole server with impacts on other services as well. That's more like stealing the tyres of the car. Looking up the maintainer of that server in the whois-db and sending an email would be the 'concerned citizen' approach. - rk
Re: suspicious apache log entries
* Erik Rossen ([EMAIL PROTECTED]) [020910 04:51]: On Tue, Sep 10, 2002 at 03:28:42AM -0700, Vineet Kumar wrote: As the law is concerned, this is like telling people they've left their front door unlocked by inviting yourself in and taking a dump on their couch. It's not yours, and you have no right to enter, let alone change Wrong analogy. True, mine was not perfect. The sad fact is that there are no perfect analogs to the real world, and the laws struggle to grasp at them. In any case, no matter what has been done to you from that server, connecting back to that server with the intent of somehow disabling or defacing it is illegal. Even adding some 'notice' on a .html somewhere is defacing. It's totally subjective, and the bottom line is that you have no right to make any modifications to their site, not even 'helpful' ones. (Well, unless you're the RIAA, of course ... maybe we should get a lawyer in here and work on a defense saying I thought they were infringing on my copyright, so I took 'em down.) Imagine instead a car that is always unlocked and is used nightly by hooligans when they go joy-riding. The warning message + lockup technique is more like leaving a note behind the wind-shield of the car and locking its doors. In the real world, such behavior might be called being a concerned citizen. Unfortunately, in today's America, such behavior is more likely to be called cyber-terrorism, and you may land yourself in a military tribunal! I understand that the tools exist, but I'd be very cautious before donning your white hat and becoming the next Internet vigilante. Of course the admin of the site may be grateful for your pointing out that something is wrong, but more likely they'll blame you for any damage they find (no matter how they were originally infected) and be very angry about any change you make to their site. Remember, if they had a clue, they'd already know and be working on fixing the problem (or never have been running IIS in the first place). good times, Vineet -- http://www.doorstop.net/ -- Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one. --President Thomas Jefferson. pgpC5x2UpwC1N.pgp Description: PGP signature
Re: suspicious apache log entries
On Tue, Sep 10, 2002 at 12:43:10PM +0300, Marcel Weber wrote: Well, but you're right: This is a beautyful tool on a companies network. But if used on the internet, there could be legal issues. Why not introduce an official Internet Security Team that officially has the right to do such things. It would be for the good of the net! They could be a part of the ICANN or UNO or whoever. Marcel Sounds like such an organization would be ripe for misuse by power hungry politicians/diplomats/whatever-you-call-them-power-hungry-people Geoff Crompton
RE: suspicious apache log entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 'nod', agreed Geoff. Sincerely, Daniel J. Rychlik Money does not make the world go round , Gravity does . - -Original Message- From: Geoff Crompton [mailto:[EMAIL PROTECTED] On Behalf Of Geoff Crompton Sent: Tuesday, September 10, 2002 7:25 PM To: debian-security@lists.debian.org Subject: Re: suspicious apache log entries On Tue, Sep 10, 2002 at 12:43:10PM +0300, Marcel Weber wrote: Well, but you're right: This is a beautyful tool on a companies network. But if used on the internet, there could be legal issues. Why not introduce an official Internet Security Team that officially has the right to do such things. It would be for the good of the net! They could be a part of the ICANN or UNO or whoever. Marcel Sounds like such an organization would be ripe for misuse by power hungry politicians/diplomats/whatever-you-call-them-power-hungry-people Geoff Crompton - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP 7.1.1 iQA/AwUBPX6R5OgW0zo5qpEdEQKVygCg4VLGzzVPMXxvIx3PBKMC29ZJ0bcAoL50 RIA1FeEMaxttK71a2T6v4sAP =zlnk -END PGP SIGNATURE-