Re: [newbie] giving up the ship?
I stopped ipchains with service ipchains stop then service iptables start, but its still broken. Is ipchains broken? Why is this software defective and how do I fix it? I wish they would write software that works, this is very frustrating when someone can't write proper software! :( ... ]# iptables -A INPUT -s 65.192.141.115 -j DROP /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz: init_module: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters modprobe: insmod /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz failed modprobe: insmod ip_tables failed iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. [root@localhost Desktop]# __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] giving up the ship?
On Fri, 20 Sep 2002 21:43:48 -0700 (PDT), Ibly Piblo [EMAIL PROTECTED] wrote: How do you block Nimda attacks from your logs? Really, now, there must be a way, I have tried script after script, I am still getting attacked by this IP: 65.192.141.115 Who are these criminals? Usually they're not criminals, they're just idiots. a) they're running IIS so they're not the sharpest tool in the box b) they've not paid any attention to the media outpourings over the last 12 months about Nimda, Code Red, IIS viruses in general c) they haven't taken the trouble to follow up on the reports and find install any protection d) they're paying no attention to the behaviour of their server and the fact that it's probably running like an asthmatic snail at the moment I guess you just can't run a web server anymore. Oh yes you can. Remember that these attacks generate IP addresses then attempt to connect to them on port 80. I moved my server from port 80 to port 81 about 6 months ago. Prior to that I was getting Nimda/Code Red hits in the logs every hour. Since then I've had ONE dodgy access that was someone attempting to use me as a proxy! Now people just access my website as http://www.domain.com:81/page.html rather than http://www.domain.com/page.html I live in peace once more :-) Jon Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] giving up the ship?
Thank you Mr. Slater , is this what it is supposed to say? # iptables -A INPUT -s 65.192.141.115 -j DROP /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz: init_module: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters modprobe: insmod /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz failed modprobe: insmod ip_tables failed iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. [root@localhost ] __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] giving up the ship?
- Original Message - From: Todd Slater [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, September 21, 2002 1:12 AM Subject: Re: [newbie] giving up the ship? On Fri, 20 Sep 2002 21:43:48 -0700 (PDT) Ibly Piblo [EMAIL PROTECTED] wrote: How do you block Nimda attacks from your logs? Really, now, there must be a way, I have tried script after script, I am still getting attacked by this IP: 65.192.141.115 Use iptables. iptables -A INPUT -s 65.192.141.115 -j DROP snip Isnt there something easier, a script I can just download and install? I use one that was posted on this list a while ago. I'm going to aggressively fight back, if there is a script that I can put in my /bin directory that will scan my /var/tmp/blocked file and instead of just ipchain-ing them out, (INEFFECTIVE!) it will shut them down, it is the only way. I believe Civileme posted a link to a page on PLF that contained such a script. Check the archives. It is annoying. I've been hit by 81 infected computers in a little over 2 weeks. If you drop them, they should not be showing up in your http logs. iptables gets flushed everytime you restart--could that be it? I run this if I have to restart: #!/bin/bash for idiot in `cat /var/tmp/blocked` do iptables -A INPUT -s $idiot -j DROP done exit HTH, Todd Another option is to put the offending IP address in your apache commonhttpd.conf: Order allow,deny Allow from all Deny from 65.192.141.115 You can list as many as you want Then restart Apache Once a week I go thru my logs and add the newest worst offenders, and remove those that are over 2 months old. Roy Murray www.ServiceTechHelp.com www.roymurray.net Linux Registered User 243148 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] giving up the ship?
On Sat, 21 Sep 2002 15:28:46 -0700 (PDT) Ibly Piblo [EMAIL PROTECTED] wrote: Thank you Mr. Slater , is this what it is supposed to say? # iptables -A INPUT -s 65.192.141.115 -j DROP /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz: init_module: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters modprobe: insmod /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz failed modprobe: insmod ip_tables failed iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. [root@localhost ] You may have ipchains running instead of iptables. You may have to look at system services to see--stop ipchains and start iptables. -- Todd Slater Not currently listening to tunes Intelligence appears to be the thing that enables a man to get along without education. Education enables a man to get along without the use of his intelligence. (Albert Edward Wiggam) Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] giving up the ship?
yep.. I actually have an IIS server for testing behind my linux box firewall.. the linux apache is on port 80, and the IIS box is on port 10001, (via port forwarding with IPTABLES in linux.) works great and my setup is protected.. (it has every patch anyway.. but I still don't trust it.) Incidently, changing ports doesn't stop tools like Nessus from working it out though. rgds frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jon Sent: Saturday, 21 September 2002 10:08 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] giving up the ship? On Fri, 20 Sep 2002 21:43:48 -0700 (PDT), Ibly Piblo [EMAIL PROTECTED] wrote: How do you block Nimda attacks from your logs? Really, now, there must be a way, I have tried script after script, I am still getting attacked by this IP: 65.192.141.115 Who are these criminals? Usually they're not criminals, they're just idiots. a) they're running IIS so they're not the sharpest tool in the box b) they've not paid any attention to the media outpourings over the last 12 months about Nimda, Code Red, IIS viruses in general c) they haven't taken the trouble to follow up on the reports and find install any protection d) they're paying no attention to the behaviour of their server and the fact that it's probably running like an asthmatic snail at the moment I guess you just can't run a web server anymore. Oh yes you can. Remember that these attacks generate IP addresses then attempt to connect to them on port 80. I moved my server from port 80 to port 81 about 6 months ago. Prior to that I was getting Nimda/Code Red hits in the logs every hour. Since then I've had ONE dodgy access that was someone attempting to use me as a proxy! Now people just access my website as http://www.domain.com:81/page.html rather than http://www.domain.com/page.html I live in peace once more :-) Jon Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] giving up the ship?
On Fri, 20 Sep 2002 21:43:48 -0700 (PDT) Ibly Piblo [EMAIL PROTECTED] wrote: How do you block Nimda attacks from your logs? Really, now, there must be a way, I have tried script after script, I am still getting attacked by this IP: 65.192.141.115 Use iptables. iptables -A INPUT -s 65.192.141.115 -j DROP snip Isnt there something easier, a script I can just download and install? I use one that was posted on this list a while ago. I'm going to aggressively fight back, if there is a script that I can put in my /bin directory that will scan my /var/tmp/blocked file and instead of just ipchain-ing them out, (INEFFECTIVE!) it will shut them down, it is the only way. I believe Civileme posted a link to a page on PLF that contained such a script. Check the archives. It is annoying. I've been hit by 81 infected computers in a little over 2 weeks. If you drop them, they should not be showing up in your http logs. iptables gets flushed everytime you restart--could that be it? I run this if I have to restart: #!/bin/bash for idiot in `cat /var/tmp/blocked` do iptables -A INPUT -s $idiot -j DROP done exit HTH, Todd -- Todd Slater Not currently listening to tunes My grandmother wanted me to have an education, so she kept me out of school. (Margaret Mead) Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] giving up the ship?
Unless I'm mistaken, what you are suggesting to do is illegal in most barrios, but if you snoop around in the right places i'm sure you can find someone to play enabler to your skr1p7 k1dd33 lusts. don't expect anyone on this list to give you some magic script that thwarts the bad guys. just firewall that crap off and ignore it. but since they are sending out stuff... Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (65.192.141.115): (The 1591 ports scanned but not shown below are in state: closed) Port State Service 135/tcpfilteredloc-srv 136/tcpfilteredprofile 137/tcpfilterednetbios-ssn 138/tcpfilterednetbios-ssn 139/tcpfilterednetbios-ssn 445/tcpopenmicrosoft-ds 1025/tcp openNFS-or-IIS 5000/tcp openUPnP 6346/tcp filteredgnutella 6699/tcp filterednapster No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/ fingerprint: run completed -- 1 IP address (1 host up) scanned in 46 seconds On Fri, 2002-09-20 at 23:43, Ibly Piblo wrote: How do you block Nimda attacks from your logs? Really, now, there must be a way, I have tried script after script, I am still getting attacked by this IP: 65.192.141.115 Who are these criminals? They have no right attacking me like this! I can't whois them or traceroute, or samspade them, it is not fair. I guess you just can't run a web server anymore. Is there one good reason why I should not give up? I don't understand honeyport, it is too hard. Isnt there something easier, a script I can just download and install? Surely, by now, someone has invented a more effective method, surely, I mean, are all the world's webmasters just going to sit down, and take it in the back? Is there a kind soul out there who would like to offer a script to this list that would retaliate by remotely shutting down the attacking server? This has got to stop, I have sat by for too long, and I don't intend to take this attacking any longer. I wish to thank all those who offered me the web pages of honeyport, thank you so much, but I'm looking for something that is more assertive, something that will *do* something, not just e mail the admin only to be ignored, I'm not playing Mr. Nice any more. -- jason gmaestro.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com