Re: Apache to rewrite or not ..
On Thu, 3 Apr 2003 12:30, Fred Smith wrote: > you may not be familiar with the nimda virus, so i'll give you and > overview of it. it spreads through a hole in an IIS extention, uses an > outrageous amount of bandwidth and effectivley gives anyone root on an > infected machine, via the executables that it places in IIS's scripts > directory. If you have a million or more customers of which >100,000 are online and active at busy times then one customer can't use any amount of bandwidth that's worth bothering about. When you have 100,000 customers online you can count on some of them being insecure and being actively exploited at any time. You can probably expect about 1000 machines to be compromised at any time. If they all used as much bandwidth as possible then it might be a small problem, but the typical broadband setup of slow upload and fast download generally takes care of that. When you provide ADSL service etc through a number of partners it can be rather difficult to track down who has a particular IP address and then work out how to contact them (hint - many people use a different ISP for email). When an ISP has one permanent employee per 20,000 customers dedicated to tracking such things they can do a good job of it. When they have no employees dedicated to the task and it's something that the network administrators do in addition to their regular tasks it's simply impossible for a large ISP. The only way a big ISP can really control such things properly is to scan all their customers for vulnerabilities and then disconnect them until the vulnerability is fixed. In which case sending them an email won't help. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Apache to rewrite or not ..
On Thu, 3 Apr 2003 12:30, Fred Smith wrote: > you may not be familiar with the nimda virus, so i'll give you and > overview of it. it spreads through a hole in an IIS extention, uses an > outrageous amount of bandwidth and effectivley gives anyone root on an > infected machine, via the executables that it places in IIS's scripts > directory. If you have a million or more customers of which >100,000 are online and active at busy times then one customer can't use any amount of bandwidth that's worth bothering about. When you have 100,000 customers online you can count on some of them being insecure and being actively exploited at any time. You can probably expect about 1000 machines to be compromised at any time. If they all used as much bandwidth as possible then it might be a small problem, but the typical broadband setup of slow upload and fast download generally takes care of that. When you provide ADSL service etc through a number of partners it can be rather difficult to track down who has a particular IP address and then work out how to contact them (hint - many people use a different ISP for email). When an ISP has one permanent employee per 20,000 customers dedicated to tracking such things they can do a good job of it. When they have no employees dedicated to the task and it's something that the network administrators do in addition to their regular tasks it's simply impossible for a large ISP. The only way a big ISP can really control such things properly is to scan all their customers for vulnerabilities and then disconnect them until the vulnerability is fixed. In which case sending them an email won't help. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache to rewrite or not ..
On Wed, 2003-04-02 at 21:06, Russell Coker wrote: > Doing it manually is not much better. Having lots of people mail you about > such silly things still isn't much use. you may not be familiar with the nimda virus, so i'll give you and overview of it. it spreads through a hole in an IIS extention, uses an outrageous amount of bandwidth and effectivley gives anyone root on an infected machine, via the executables that it places in IIS's scripts directory. i'm not sure how you manage your network, but most admins would consider a host that can be anonymously controlled by anoyone on the internet a major liability. they have access to your mail servers/news servers, they have the ability to waste tons of bandwidth as part of a DoS attack, etc. i wouldn't consider a nimda infected host on my network "silly". -- Fred Smith <[EMAIL PROTECTED]> Divided Sky Internet
Re: Apache to rewrite or not ..
On Thu, 3 Apr 2003 11:36, Fred Smith wrote: > On Tue, 2003-04-01 at 18:30, Russell Coker wrote: > > On Mon, 31 Mar 2003 15:40, Fred Smith wrote: > > > if you're feeling ambitious, you could log these > > > hits and report them to the ISP they came from, so the ISP can contact > > > the owner of the machine and inform them that they are infected with a > > if you actually read what i wrote, you would see that i never mentioned > having apache automatically report abuse. i meant that the admin of the > web server could write emails to the abuse addresses of hosts that > attempted to infect him. clearly, you would never want apache to > automatically be sending email to anyone. that's just asking for abuse. Doing it manually is not much better. Having lots of people mail you about such silly things still isn't much use. As long as your security is good enough you can just ignore such attacks. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Apache to rewrite or not ..
On Tue, 2003-04-01 at 18:30, Russell Coker wrote: > On Mon, 31 Mar 2003 15:40, Fred Smith wrote: > > if you're feeling ambitious, you could log these > > hits and report them to the ISP they came from, so the ISP can contact > > the owner of the machine and inform them that they are infected with a > > That's a bad idea. > > If every Apache server was setup in such a fashion then the postmaster > address > for every major ISP would become unusable, and therefore postmaster addresses > would become unusable. if you actually read what i wrote, you would see that i never mentioned having apache automatically report abuse. i meant that the admin of the web server could write emails to the abuse addresses of hosts that attempted to infect him. clearly, you would never want apache to automatically be sending email to anyone. that's just asking for abuse. -- Fred Smith <[EMAIL PROTECTED]> Divided Sky Internet
Re: Apache to rewrite or not ..
On Wed, 2003-04-02 at 21:06, Russell Coker wrote: > Doing it manually is not much better. Having lots of people mail you about > such silly things still isn't much use. you may not be familiar with the nimda virus, so i'll give you and overview of it. it spreads through a hole in an IIS extention, uses an outrageous amount of bandwidth and effectivley gives anyone root on an infected machine, via the executables that it places in IIS's scripts directory. i'm not sure how you manage your network, but most admins would consider a host that can be anonymously controlled by anoyone on the internet a major liability. they have access to your mail servers/news servers, they have the ability to waste tons of bandwidth as part of a DoS attack, etc. i wouldn't consider a nimda infected host on my network "silly". -- Fred Smith <[EMAIL PROTECTED]> Divided Sky Internet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache to rewrite or not ..
On Thu, 3 Apr 2003 11:36, Fred Smith wrote: > On Tue, 2003-04-01 at 18:30, Russell Coker wrote: > > On Mon, 31 Mar 2003 15:40, Fred Smith wrote: > > > if you're feeling ambitious, you could log these > > > hits and report them to the ISP they came from, so the ISP can contact > > > the owner of the machine and inform them that they are infected with a > > if you actually read what i wrote, you would see that i never mentioned > having apache automatically report abuse. i meant that the admin of the > web server could write emails to the abuse addresses of hosts that > attempted to infect him. clearly, you would never want apache to > automatically be sending email to anyone. that's just asking for abuse. Doing it manually is not much better. Having lots of people mail you about such silly things still isn't much use. As long as your security is good enough you can just ignore such attacks. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache to rewrite or not ..
On Tue, 2003-04-01 at 18:30, Russell Coker wrote: > On Mon, 31 Mar 2003 15:40, Fred Smith wrote: > > if you're feeling ambitious, you could log these > > hits and report them to the ISP they came from, so the ISP can contact > > the owner of the machine and inform them that they are infected with a > > That's a bad idea. > > If every Apache server was setup in such a fashion then the postmaster address > for every major ISP would become unusable, and therefore postmaster addresses > would become unusable. if you actually read what i wrote, you would see that i never mentioned having apache automatically report abuse. i meant that the admin of the web server could write emails to the abuse addresses of hosts that attempted to infect him. clearly, you would never want apache to automatically be sending email to anyone. that's just asking for abuse. -- Fred Smith <[EMAIL PROTECTED]> Divided Sky Internet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache to rewrite or not ..
> On Mon, 31 Mar 2003 15:40, Fred Smith wrote: >> it is most likely a worm (nimda, code red, or one of their variants) >> and not an actual person. if you're feeling ambitious, you could log >> these hits and report them to the ISP they came from, so the ISP can >> contact the owner of the machine and inform them that they are >> infected with a > > That's a bad idea. > > If every Apache server was setup in such a fashion then the postmaster > address for every major ISP would become unusable, and therefore > postmaster addresses would become unusable. > > If someone setup a central clearing-house for such things then it might > work. What you would need is for your server to notify a central > server of the worm infection. Once 10 or more machines from different > AS's had reported an IP address as being infected with a worm then it > would be reported to the ISP along with any other IP addresses in the > same ISP's space. That way there would be few false alarms, and the > real reports would tend to have several IP addresses reported at the > same time. What about writing some sort of log analysis tool that can speak to dsheild.org? They do log correlation and ISP notification and other noble things. They might already have an apache log tool, but I don't know for sure. Sincerely, Kirk Ismay System Administrator
Re: Apache to rewrite or not ..
On Mon, 31 Mar 2003 15:40, Fred Smith wrote: > it is most likely a worm (nimda, code red, or one of their variants) and > not an actual person. if you're feeling ambitious, you could log these > hits and report them to the ISP they came from, so the ISP can contact > the owner of the machine and inform them that they are infected with a That's a bad idea. If every Apache server was setup in such a fashion then the postmaster address for every major ISP would become unusable, and therefore postmaster addresses would become unusable. If someone setup a central clearing-house for such things then it might work. What you would need is for your server to notify a central server of the worm infection. Once 10 or more machines from different AS's had reported an IP address as being infected with a worm then it would be reported to the ISP along with any other IP addresses in the same ISP's space. That way there would be few false alarms, and the real reports would tend to have several IP addresses reported at the same time. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Apache to rewrite or not ..
> On Mon, 31 Mar 2003 15:40, Fred Smith wrote: >> it is most likely a worm (nimda, code red, or one of their variants) >> and not an actual person. if you're feeling ambitious, you could log >> these hits and report them to the ISP they came from, so the ISP can >> contact the owner of the machine and inform them that they are >> infected with a > > That's a bad idea. > > If every Apache server was setup in such a fashion then the postmaster > address for every major ISP would become unusable, and therefore > postmaster addresses would become unusable. > > If someone setup a central clearing-house for such things then it might > work. What you would need is for your server to notify a central > server of the worm infection. Once 10 or more machines from different > AS's had reported an IP address as being infected with a worm then it > would be reported to the ISP along with any other IP addresses in the > same ISP's space. That way there would be few false alarms, and the > real reports would tend to have several IP addresses reported at the > same time. What about writing some sort of log analysis tool that can speak to dsheild.org? They do log correlation and ISP notification and other noble things. They might already have an apache log tool, but I don't know for sure. Sincerely, Kirk Ismay System Administrator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache to rewrite or not ..
On Mon, 31 Mar 2003 15:40, Fred Smith wrote: > it is most likely a worm (nimda, code red, or one of their variants) and > not an actual person. if you're feeling ambitious, you could log these > hits and report them to the ISP they came from, so the ISP can contact > the owner of the machine and inform them that they are infected with a That's a bad idea. If every Apache server was setup in such a fashion then the postmaster address for every major ISP would become unusable, and therefore postmaster addresses would become unusable. If someone setup a central clearing-house for such things then it might work. What you would need is for your server to notify a central server of the worm infection. Once 10 or more machines from different AS's had reported an IP address as being infected with a worm then it would be reported to the ISP along with any other IP addresses in the same ISP's space. That way there would be few false alarms, and the real reports would tend to have several IP addresses reported at the same time. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache to rewrite or not ..
On March 30, 2003 10:34 pm, Rudi Starcevic wrote: > In my apache error log we have alot of request's for i) default.ida and > ii) cmd.exe > In Linux this appears to be pretty much harmless - I think. > It is however annoying and I'm wondering whether or not to do anything > about it. I used to redirect these requests to www.microsoft.com. I doubt that the worm actually honours such a redirect but at least it made me happy at the time. -- Fraser Campbell <[EMAIL PROTECTED]> http://wehave.net/ Brampton, Ontario, Canada Debian GNU/Linux
Re: Apache to rewrite or not ..
On March 30, 2003 10:34 pm, Rudi Starcevic wrote: > In my apache error log we have alot of request's for i) default.ida and > ii) cmd.exe > In Linux this appears to be pretty much harmless - I think. > It is however annoying and I'm wondering whether or not to do anything > about it. I used to redirect these requests to www.microsoft.com. I doubt that the worm actually honours such a redirect but at least it made me happy at the time. -- Fraser Campbell <[EMAIL PROTECTED]> http://wehave.net/ Brampton, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache to rewrite or not ..
On Sun, 2003-03-30 at 22:34, Rudi Starcevic wrote: > Hi, > > In my apache error log we have alot of request's for i) default.ida and > ii) cmd.exe [...] > I think all I can really do is use mod_rewrite to send these request to > another page, > like a friendly page which tell's the hacker where to go ;-) it is most likely a worm (nimda, code red, or one of their variants) and not an actual person. if you're feeling ambitious, you could log these hits and report them to the ISP they came from, so the ISP can contact the owner of the machine and inform them that they are infected with a worm of some sort. there are a number of scripts written that you can set up to answer on those URLs to "hack back" and disable the machine that's trying to infect you, but i don't suggest doing this, as doing so will eventually get you in a lot of trouble. -- Fred Smith <[EMAIL PROTECTED]> Divided Sky Internet
Re: Apache to rewrite or not ..
On Sun, 2003-03-30 at 22:34, Rudi Starcevic wrote: > Hi, > > In my apache error log we have alot of request's for i) default.ida and > ii) cmd.exe [...] > I think all I can really do is use mod_rewrite to send these request to > another page, > like a friendly page which tell's the hacker where to go ;-) it is most likely a worm (nimda, code red, or one of their variants) and not an actual person. if you're feeling ambitious, you could log these hits and report them to the ISP they came from, so the ISP can contact the owner of the machine and inform them that they are infected with a worm of some sort. there are a number of scripts written that you can set up to answer on those URLs to "hack back" and disable the machine that's trying to infect you, but i don't suggest doing this, as doing so will eventually get you in a lot of trouble. -- Fred Smith <[EMAIL PROTECTED]> Divided Sky Internet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]