Re: possible cracking attempt
Thanks for all of the information it was very informative. -- Sean Malloy Registered GNU/Linux User #417855 Happy Hacking! ;-) www.catgrepsort.com
Re: possible cracking attempt
Theo de Raadt wrote: Sure, but people with Walmart jobs are a whole lot less dangerous... talk about vendor lock-in! http://reclaimdemocracy.org/walmart/workers_locked_in.html
Re: possible cracking attempt
"Nick !" <[EMAIL PROTECTED]> writes: > On 02 Apr 2007 03:16:20 +0200, Artur Grabowski <[EMAIL PROTECTED]> wrote: > > "Nick !" <[EMAIL PROTECTED]> writes: > > > > > Anyway, "/htdocs/thisdoesnotexistahaha.php" and > > > '/w00tw00t.at.ISC.SANS.DFind:)" show that it's just some kid learning > > > the ropes. I wouldn't want to report him. > > > > Why not? Beat them up when they are young and maybe they'll learn to > > behave. You can't teach an old dog new tricks, so you have to catch > > him when he's still young. > > Oh well that's no fun. If you do that you just turn him (or her, in > rare lucky cases) into a burned out, angry and paranoid shell. There's > no creativity in that. > And you can't protect yourself from a cracker unless you can think > like a cracker etc, etc, other practicality-based arguments, etc. > But mostly that it's no fun. Actually, it is quite a lot of fun. At work we've dealt with numerous wannabe crackers by simply calling their mom. And in cases where it didn't work, by having our lawyer call them and their mom. Watching a kid that tried to hurt you pee his pants is very amusing. //art
Re: possible cracking attempt
> > > Anyway, "/htdocs/thisdoesnotexistahaha.php" and > > > '/w00tw00t.at.ISC.SANS.DFind:)" show that it's just some kid learning > > > the ropes. I wouldn't want to report him. > > > > Why not? Beat them up when they are young and maybe they'll learn to > > behave. You can't teach an old dog new tricks, so you have to catch > > him when he's still young. > > Oh well that's no fun. If you do that you just turn him (or her, in > rare lucky cases) into a burned out, angry and paranoid shell. Sure, but people with Walmart jobs are a whole lot less dangerous...
Re: possible cracking attempt
On 02 Apr 2007 03:16:20 +0200, Artur Grabowski <[EMAIL PROTECTED]> wrote: "Nick !" <[EMAIL PROTECTED]> writes: > Anyway, "/htdocs/thisdoesnotexistahaha.php" and > '/w00tw00t.at.ISC.SANS.DFind:)" show that it's just some kid learning > the ropes. I wouldn't want to report him. Why not? Beat them up when they are young and maybe they'll learn to behave. You can't teach an old dog new tricks, so you have to catch him when he's still young. Oh well that's no fun. If you do that you just turn him (or her, in rare lucky cases) into a burned out, angry and paranoid shell. There's no creativity in that. And you can't protect yourself from a cracker unless you can think like a cracker etc, etc, other practicality-based arguments, etc. But mostly that it's no fun. -Nick p.s. By the way, I love your rant.html
Re: possible cracking attempt
"Nick !" <[EMAIL PROTECTED]> writes: > Anyway, "/htdocs/thisdoesnotexistahaha.php" and > '/w00tw00t.at.ISC.SANS.DFind:)" show that it's just some kid learning > the ropes. I wouldn't want to report him. Why not? Beat them up when they are young and maybe they'll learn to behave. You can't teach an old dog new tricks, so you have to catch him when he's still young. //art
Re: possible cracking attempt
Nick ! wrote: On 4/1/07, Pawel S. Veselov <[EMAIL PROTECTED]> wrote: > On 4/1/07, Sean Malloy <[EMAIL PROTECTED]> wrote: >> I just installed OpenBSD on my server in early March 2007. I am >> running an Apache web server out of my house. I am tracking 4.0 STABLE >> which I updated the day after the latest security advisory. I recently >> noticed some peculiar entries in my Apache error and access logs. >> u >> From /var/www/logs/error_log: >> >> [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does >> not exist: /htdocs/Provy_OK.html I used to have my logs scanned for these entries, and report them to the authorities responsible for source IP addresses. Most of them would go to SBC or Comcast, but some would go to small networks who do like knowing that their systems are infected or are used for hacking. How? How could you automate ID'ing these? If you used some sort of heuristic method you risk blacklisting innocent users. I wasn't blacklisting myself, only reporting to what supposedly was an authority. I was using RIPE and whois.abuse.org, until it became too cumbersome to figure out what is the email address complains should be sent to. Just looking over what I had then, I now stumbled on this article: http://www.ripe.net/db/news/abuse-proposal-20050331.html which supposedly should help finding the abuse email address easier, though I failed to find an email for my own ip :) Anyway, "/htdocs/thisdoesnotexistahaha.php" and '/w00tw00t.at.ISC.SANS.DFind:)" show that it's just some kid learning the ropes. I wouldn't want to report him. and it probably wouldn't be paid much attention to until it becomes a regular activity with enough complaints. However, I don't believe that large providers pay any real attention at all, due to the sheer volume of the complaints they receive. -- Pawel.
Re: possible cracking attempt
On 4/1/07, Pawel S. Veselov <[EMAIL PROTECTED]> wrote: > On 4/1/07, Sean Malloy <[EMAIL PROTECTED]> wrote: >> I just installed OpenBSD on my server in early March 2007. I am >> running an Apache web server out of my house. I am tracking 4.0 STABLE >> which I updated the day after the latest security advisory. I recently >> noticed some peculiar entries in my Apache error and access logs. >> u >> From /var/www/logs/error_log: >> >> [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does >> not exist: /htdocs/Provy_OK.html I used to have my logs scanned for these entries, and report them to the authorities responsible for source IP addresses. Most of them would go to SBC or Comcast, but some would go to small networks who do like knowing that their systems are infected or are used for hacking. How? How could you automate ID'ing these? If you used some sort of heuristic method you risk blacklisting innocent users. Anyway, "/htdocs/thisdoesnotexistahaha.php" and '/w00tw00t.at.ISC.SANS.DFind:)" show that it's just some kid learning the ropes. I wouldn't want to report him. -Nick
Re: possible cracking attempt
Hello, Nick ! wrote: On 4/1/07, Sean Malloy <[EMAIL PROTECTED]> wrote: I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs. u From /var/www/logs/error_log: [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html [ skipped ] I have not noticed any weirdness in any other logs files. What can I do to stop this from happening? Thanks in advance. You fundamentally can't stop it, based on the HTTP model. You could throw in some hacks like searching for suspiciousness like this and adding blocks to those addresses, but that's generally a bad idea because of all the endusers on DHCP. Just ignore it. So long as your system is actually secure you have nothing to worry about (except DDoS but there's no way to prevent that either). -Nick I used to have my logs scanned for these entries, and report them to the authorities responsible for source IP addresses. Most of them would go to SBC or Comcast, but some would go to small networks who do like knowing that their systems are infected or are used for hacking. -- Pawel.
Re: possible cracking attempt
On Sun, Apr 01, 2007 at 11:29:46PM +0100, Stuart Henderson wrote: > On 2007/04/01 23:51, Joachim Schipper wrote: > > > Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: > > > 192.168.1.200.80 > 211.100.33.61.18484: F 2034632638:2034632638(0) ack > > > 3247563101 win 17520 (DF) > > > > You should figure out what this means; your web server, presumably, is > > blocked by pf. > > huh? it says "PASS". > Woopsie... it does, of course. Sorry! Please ignore that part. Joachim -- PotD: x11/gnome/icon-theme - the base GNOME icon theme
Re: possible cracking attempt
On 2007/04/01 23:51, Joachim Schipper wrote: > > Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: > > 192.168.1.200.80 > 211.100.33.61.18484: F 2034632638:2034632638(0) ack > > 3247563101 win 17520 (DF) > > You should figure out what this means; your web server, presumably, is > blocked by pf. huh? it says "PASS".
Re: possible cracking attempt
On Sun, Apr 01, 2007 at 04:23:07PM -0500, Sean Malloy wrote: > I just installed OpenBSD on my server in early March 2007. I am > running an Apache web server out of my house. I am tracking 4.0 STABLE > which I updated the day after the latest security advisory. I recently > noticed some peculiar entries in my Apache error and access logs. > > From /var/www/logs/error_log: > > [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does > not exist: /htdocs/Provy_OK.html > [Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/thisdoesnotexistahaha.php > [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/cmd.php > [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/Cacti/cmd.php > [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/cacti/cmd.php > [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/portal/cacti/cmd.php > [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/portal/cmd.php > [Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/stats/cmd.php > [Sun Apr 1 00:11:32 2007] [error] [client 212.31.237.145] client sent > HTTP/1.1 request without hostname (see RFC2616 section 14.23): > /w00tw00t.at.ISC.SANS.DFind:) Yes, that's a scan. Nothing to worry about. > From /var/www/logs/access_log: > > 211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] "GET > http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html > HTTP/1.1" > 404 219 "-" "-" > 195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] "GET > /thisdoesnotexistahaha.php HTTP/1.1" 404 231 "-" "Mozilla/4.0 > (compatible; MSIE 6.0; Win > dows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] "GET /cmd.php > HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] "GET /Cacti/cmd.php > HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /cacti/cmd.php > HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET > /portal/cacti/cmd.php HTTP/1.1" 404 226 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows > 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /portal/cmd.php > HTTP/1.1" 404 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:23 -0500] "GET /stats/cmd.php > HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 212.31.237.145 - - [01/Apr/2007:00:11:32 -0500] "GET > /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-" "-" > > Relevant sections from /var/log/pflog: > > Mar 31 07:35:05.505194 rule 7/(match) pass in on sk0: > 211.100.33.61.18484 > 192.168.1.200.80: S 948480759:948480759(0) win > 5840 (DF) > Mar 31 07:35:06.012233 rule 7/(match) pass in on sk0: > 211.100.33.61.19843 > 192.168.1.200.80: S 948885882:948885882(0) win > 5840 (DF) > Mar 31 07:35:06.510805 rule 7/(match) pass in on sk0: > 211.100.33.61.18484 > 192.168.1.200.80: F 1995884956:1995884956(0) ack > 3143126464 win 5840 (DF) > Mar 31 07:35:06.510826 rule 7/(match) pass out on sk0: > 192.168.1.200.80 > 211.100.33.61.18484: . ack 3247563101 win 17520 > (DF) > Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: > 192.168.1.200.80 > 211.100.33.61.18484: F 2034632638:2034632638(0) ack > 3247563101 win 17520 (DF) You should figure out what this means; your web server, presumably, is blocked by pf. That means that the web server is doing something you didn't think it should when writing the rules. What is that? (Hard to say without access to pf.conf...) > > I have not noticed any weirdness in any other logs files. What can I > do to stop this from happening? Thanks in advance. Not much, it's just background noise. Keep patched, and ignore it. Joachim -- TFMotD: fflagstostr, strtofflags (3) - convert between file flag bits and their string names
Re: possible cracking attempt
On 4/1/07, Sean Malloy <[EMAIL PROTECTED]> wrote: I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs. u From /var/www/logs/error_log: [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html [Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/thisdoesnotexistahaha.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cmd.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/Cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cmd.php [Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/stats/cmd.php [Sun Apr 1 00:11:32 2007] [error] [client 212.31.237.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) From /var/www/logs/access_log: 211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] "GET http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html HTTP/1.1" 404 219 "-" "-" 195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Win dows 98)" I have not noticed any weirdness in any other logs files. What can I do to stop this from happening? Thanks in advance. You fundamentally can't stop it, based on the HTTP model. You could throw in some hacks like searching for suspiciousness like this and adding blocks to those addresses, but that's generally a bad idea because of all the endusers on DHCP. Just ignore it. So long as your system is actually secure you have nothing to worry about (except DDoS but there's no way to prevent that either). -Nick
