Re: F19: Is this an httpd attack attempt?
Tim writes: > I've always configured all domains separately, and left the default > service showing that pre-configuration Apache page that tells you that > the service is alive, or just a basic page. That way, non-matching > connections don't connect to /some/ virtual host, as if by accident. While I don't use apache (I use lighttpd) I configure it the same way. Non-matching vhosts get a bland "you lose, now move along" page. -wolfgang -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
Allegedly, on or about 05 March 2014, Wolfgang S. Rupprecht sent: > 2) apache has (to my mind) a minor bug where it serves pages from the >first vhost if you ask for an unknown vhost. In the absence of a matching virtual host, it returns the default service. The same as if you'd requested a connection to just the numerical IP address, without any hostname. I've always configured all domains separately, and left the default service showing that pre-configuration Apache page that tells you that the service is alive, or just a basic page. That way, non-matching connections don't connect to /some/ virtual host, as if by accident. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
Tom Rivers writes: > On 3/5/2014 10:45, Tom Rivers wrote: >> Now that I had successfully simulated the attack signature in the >> log file of the proxy web server, I logged into the target web >> server and looked at its access log. Thankfully I found no log of >> any activity from my XXX.XXX.XXX.XXX workstation IP. Not wanting to >> leave any stone unturned, I did a "tail -f" on the log file of the >> target web server and performed the same test again. I got the same >> results. > > Sorry, it's a busy day at work and I wasn't as clear as I should have > been in this last paragraph. What I should've said is that there were > no entries in the log file of the target web server referencing the > attempted "attack" for either the IP of my workstation or the IP of > the proxy web server. Tom, thank you very much for your effort and time investigating and sharing this! -- Fedora release 20 (Heisenbug) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
Tim writes: > Allegedly, on or about 05 March 2014, lee sent: >> Could someone please explain why/how this may be considered as an >> attack or at least as something bad? > > Have a look at the log line that the original poster sent: > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA > HTTP/1.1" 200 5264 "-" "-" > > look above here, where the carats are at the end of these hyphens > -^^^ > > That "200" means a successful result, rather than a failure. In other > words, what they tried to do, they did. Yes --- I was wondering if perhaps some sort of error page might have been served. >> Someone requesting an URL from a web server that doesn´t serve this >> URL --- or doesn´t serve the specified domain at all --- could be >> caused by incorrect responses from name servers, couldn´t it? > > Not, like that. Say, for example, I try to get this page from a > website: www.example.com/pages/test.html The browser will connect to > example.com (presuming that DNS is working), and then it will try to > GET /pages/test.html. The domain name will not be in the GET request. > > e.g. That log line would have looked like: > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > /?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-" > > As a more normal use of a webserver. I see what you mean, then entries in my log file look like that. As Tom Rivers pointed out in his posts, his tests have shown that someone might have used the web server as a proxy. Now there is probably no way to determine whether what caused this log entry was actually an attack or not, or is there? -- Fedora release 20 (Heisenbug) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
lee writes: > "Wolfgang S. Rupprecht" writes: > >> lee writes: >>> Could someone please explain why/how this may be considered as an attack >>> or at least as something bad? Someone requesting an URL from a web >>> server that doesn´t serve this URL --- or doesn´t serve the specified >>> domain at all --- could be caused by incorrect responses from name >>> servers, couldn´t it? >>> >>> What is it in particular that would distinguish the request in question >>> from others? >> >> This is not an attack, but someone fishing for information. I >> understand that apache in some modes give you the first configured vhost >> when encountering a query like that. Someone wanted to see if there >> was something juicy lying around. The server served the URL >> "http:///" >> which was the index.{html,htm,php,etc} file in the vhost0 root directory. > > Sorry, I still don´t understand. You seem to imply that any request to > a web server which, for whatever reason, doesn´t serve the request or > doesn´t serve for the domain given in the request --- I´m not sure which > is in question here: the domain or the request --- can be considered as > an attempt to obtain information the requester is not supposed to have. > > So far, my understanding has been that the requester is supposed to > receive a 4xx or 5xx error message/code when the server does not want to > or can not serve the request. > > For instances when the web server gives a wrong answer to a request it > does not serve --- like sending the index page used with requests for a > different domain instead of indicating an error --- someone has > misconfigured the server, or there is a bug in the server. Neither has > anything to do with the sender of the request, other than that they > receive a wrong answer. It´s not the fault of the sender of the request > when the web server sends the wrong answer. I don't know how to say it more precisely. 1) this is not an exploit. 2) apache has (to my mind) a minor bug where it serves pages from the first vhost if you ask for an unknown vhost. 3) the request in the initial post was for the page at the root of the directory tree often called /index.html . 4) the request was successfully served hence the 200 return code. -wolfgang -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
On 3/5/2014 10:45, Tom Rivers wrote: Now that I had successfully simulated the attack signature in the log file of the proxy web server, I logged into the target web server and looked at its access log. Thankfully I found no log of any activity from my XXX.XXX.XXX.XXX workstation IP. Not wanting to leave any stone unturned, I did a "tail -f" on the log file of the target web server and performed the same test again. I got the same results. Sorry, it's a busy day at work and I wasn't as clear as I should have been in this last paragraph. What I should've said is that there were no entries in the log file of the target web server referencing the attempted "attack" for either the IP of my workstation or the IP of the proxy web server. Sorry for the confusion. Tom -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
On 3/5/2014 09:41, Tim wrote: Allegedly, on or about 05 March 2014, lee sent: Could someone please explain why/how this may be considered as an attack or at least as something bad? Have a look at the log line that the original poster sent: 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-" look above here, where the carats are at the end of these hyphens -^^^ That "200" means a successful result, rather than a failure. In other words, what they tried to do, they did. I've been following this discussion and decided to do some digging myself because I run several web servers and security is important to me. I want to share what I've found to hopefully help determine what is happening here and ensure all of us are adequately protected. Since I have two Linux web servers at my disposal, I used one as the proxy host and one as the target host so I could examine the logs of both servers and see what really happened. The first thing I needed to do is replicate the attempt. After poking around a bit, I came across the following example that anyone can use to simulate this "attack": curl -x proxyhostdomainname:80 http://targethostdomainname Executing this command makes a request to the proxyhostdomainname server and asks it to fetch the page at the targethostdomainname server. After executing this command, I got the following output in the apache server access log on the proxyhostdomainname server: XXX.XXX.XXX.XXX - - [05/Mar/2014:09:29:31 -0600] "GET http://targethostdomainname HTTP/1.1" 200 199 The address XXX.XXX.XXX.XXX corresponds to the third Linux system I was using to simulate the attack. I also noted that the HTML source of the default page hosted at proxyhostdomainname was displayed in my terminal screen as a result of the curl command. Now that I had successfully simulated the attack signature in the log file of the proxy web server, I logged into the target web server and looked at its access log. Thankfully I found no log of any activity from my XXX.XXX.XXX.XXX workstation IP. Not wanting to leave any stone unturned, I did a "tail -f" on the log file of the target web server and performed the same test again. I got the same results. Tom -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
"Wolfgang S. Rupprecht" writes: > lee writes: >> Could someone please explain why/how this may be considered as an attack >> or at least as something bad? Someone requesting an URL from a web >> server that doesn´t serve this URL --- or doesn´t serve the specified >> domain at all --- could be caused by incorrect responses from name >> servers, couldn´t it? >> >> What is it in particular that would distinguish the request in question >> from others? > > This is not an attack, but someone fishing for information. I > understand that apache in some modes give you the first configured vhost > when encountering a query like that. Someone wanted to see if there > was something juicy lying around. The server served the URL > "http:///" > which was the index.{html,htm,php,etc} file in the vhost0 root directory. Sorry, I still don´t understand. You seem to imply that any request to a web server which, for whatever reason, doesn´t serve the request or doesn´t serve for the domain given in the request --- I´m not sure which is in question here: the domain or the request --- can be considered as an attempt to obtain information the requester is not supposed to have. So far, my understanding has been that the requester is supposed to receive a 4xx or 5xx error message/code when the server does not want to or can not serve the request. For instances when the web server gives a wrong answer to a request it does not serve --- like sending the index page used with requests for a different domain instead of indicating an error --- someone has misconfigured the server, or there is a bug in the server. Neither has anything to do with the sender of the request, other than that they receive a wrong answer. It´s not the fault of the sender of the request when the web server sends the wrong answer. -- Fedora release 20 (Heisenbug) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
Allegedly, on or about 05 March 2014, lee sent: > Could someone please explain why/how this may be considered as an > attack or at least as something bad? Have a look at the log line that the original poster sent: 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-" look above here, where the carats are at the end of these hyphens -^^^ That "200" means a successful result, rather than a failure. In other words, what they tried to do, they did. You'd want nefarious attempts to fail. If it failed, there'd be a different HTTP response code, there (one of the four-hundreds or five-hundreds, depending on whether it's a client error, or server error). > Someone requesting an URL from a web server that doesn´t serve this > URL --- or doesn´t serve the specified domain at all --- could be > caused by incorrect responses from name servers, couldn´t it? Not, like that. Say, for example, I try to get this page from a website: www.example.com/pages/test.html The browser will connect to example.com (presuming that DNS is working), and then it will try to GET /pages/test.html. The domain name will not be in the GET request. e.g. That log line would have looked like: 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET /?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-" As a more normal use of a webserver. Even requests made of virtual hosts, don't put the domain name into the GET request. Hostnames are handled elsewhere in the connection (during the connection, not at the request after the connection). And even something like crap webmastering/typing, that did something wrong like trying to connect to: http://www.example.com/http://www.example.com/pages/test.html Would result in a different appearance in the log. You'd see it prepended with a slash, and a 404 error code instead of 200. 192.168.1.181 - - [06/Mar/2014:01:06:17 +1030] "GET /http://www.example.com/pages/test.html. HTTP/1.1" 404 407 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36" -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
lee writes: > Could someone please explain why/how this may be considered as an attack > or at least as something bad? Someone requesting an URL from a web > server that doesn´t serve this URL --- or doesn´t serve the specified > domain at all --- could be caused by incorrect responses from name > servers, couldn´t it? > > What is it in particular that would distinguish the request in question > from others? This is not an attack, but someone fishing for information. I understand that apache in some modes give you the first configured vhost when encountering a query like that. Someone wanted to see if there was something juicy lying around. The server served the URL "http:///" which was the index.{html,htm,php,etc} file in the vhost0 root directory. -wolfgang -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
"eoconno...@gmail.com" writes: > What's the best way to avoid/prevent this from happening?... > > - Reply message - > From: "Mark Haney" > To: > Subject: F19: Is this an httpd attack attempt? > Date: Mon, Mar 3, 2014 11:59 am > > > > > On 03/03/14 11:42, Dan Thurman wrote: >> >> It looks to me like a successful indirect connection? >> >> The following is taken from /var/log/httpd/access_log >> >> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET >> http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA >> >> > HTTP/1.1" 200 5264 "-" "-" >> > > It certainly looks that way. I see several of those kinds of GETs a > day on our web servers. Not from that particular domain, but similar > types of GETs. > > A quick google points to similar GET requests to that domain as far > back as 2011, and the domain itself isn't live, just a placeholder for > parked domain. Could someone please explain why/how this may be considered as an attack or at least as something bad? Someone requesting an URL from a web server that doesn´t serve this URL --- or doesn´t serve the specified domain at all --- could be caused by incorrect responses from name servers, couldn´t it? What is it in particular that would distinguish the request in question from others? -- Fedora release 20 (Heisenbug) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
On 03/03/2014 10:47 PM, Tim wrote: Allegedly, on or about 03 March 2014, Dan Thurman sent: It looks to me like a successful indirect connection? The following is taken from /var/log/httpd/access_log 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-" With a "GET" request that has a full URI rather than just a filepath to something within your own website, that looks like they're trying to use you as a proxy for whatever their nefarious aims are (which Apache *can* do, but doesn't have to). The "200" response means "okay," so it apparently succeeded with 5264 bytes being sent. Try the same sort of hack, yourself, on your own server, to see what it does. Though try getting some other website, not the one that's playing games with you. Since it's to a non-website, they may be pooling data of what fails and succeeds, so they can make use of it later. Which could be anything from doing a hack on you, using you as a sacrificial proxy for illegal activities, using you as a proxy to bypass state censorship, one of the white hat hackers researching statistics on unsafe webservers, or anything else that you can think of. Because you don't know their motives, I'd consider them as being bad, and worth doing something about. Unless you are purposely using the proxy features of Apache, disable them. If you are making use of them, then tighten up the configuration to only do what you want. I found out that mod_proxy was installed on apache, so I disabled mod_proxy and have yet to see any proxy attempts -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
03/03/2014 06:09 PM, Joe Zeff wrote: On 03/03/2014 05:40 PM, Dan Thurman wrote: # Blacklist order allow,deny allow from all deny from 85.25.196.141 deny from 85.25.226.154 deny from 146.185.239.100 deny from 185.4.227.194 deny from 192.99.2.75 I'm not familiar with this, but I think I spotted a typo. Isn't it supposed to be ? No, it is correct. The trailing slash means /, the document root. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
Allegedly, on or about 03 March 2014, Dan Thurman sent: > It looks to me like a successful indirect connection? > > The following is taken from /var/log/httpd/access_log > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA > HTTP/1.1" 200 5264 "-" "-" With a "GET" request that has a full URI rather than just a filepath to something within your own website, that looks like they're trying to use you as a proxy for whatever their nefarious aims are (which Apache *can* do, but doesn't have to). The "200" response means "okay," so it apparently succeeded with 5264 bytes being sent. Try the same sort of hack, yourself, on your own server, to see what it does. Though try getting some other website, not the one that's playing games with you. Since it's to a non-website, they may be pooling data of what fails and succeeds, so they can make use of it later. Which could be anything from doing a hack on you, using you as a sacrificial proxy for illegal activities, using you as a proxy to bypass state censorship, one of the white hat hackers researching statistics on unsafe webservers, or anything else that you can think of. Because you don't know their motives, I'd consider them as being bad, and worth doing something about. Unless you are purposely using the proxy features of Apache, disable them. If you are making use of them, then tighten up the configuration to only do what you want. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
On 03/03/2014 05:40 PM, Dan Thurman wrote: # Blacklist order allow,deny allow from all deny from 85.25.196.141 deny from 85.25.226.154 deny from 146.185.239.100 deny from 185.4.227.194 deny from 192.99.2.75 I'm not familiar with this, but I think I spotted a typo. Isn't it supposed to be ? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
On 03/03/2014 05:40 PM, Dan Thurman issued this missive: On 03/03/2014 05:11 PM, Dan Thurman wrote: On 03/03/2014 03:25 PM, Rick Stevens wrote: On 03/03/2014 02:06 PM, eoconno...@gmail.com issued this missive: What's the best way to avoid/prevent this from happening?... Since the IP is part of a Turkish /24 network, odds are it's a hack attempt. If you don't care about servicing Turkey, you could block that IP space in your firewall. Pertinent information: inetnum:185.4.227.0 - 185.4.227.255 netname:SAYFANET descr: Istanbul DC Customer country:TR admin-c:KSM20-RIPE tech-c: KSM20-RIPE status: ASSIGNED PA mnt-by: ER101-MNT source: RIPE # Filtered ("whois 185.4.227.194" will give you the gory details), so add that /24 to your filter list. In the old days: iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP It's difficult to weed out traffic selectively unless you have the ability to do a deep packet inspection and look at the actual request. Generally that equipment costs a good deal of . - Reply message - From: "Mark Haney" To: Subject: F19: Is this an httpd attack attempt? Date: Mon, Mar 3, 2014 11:59 am -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/03/14 11:42, Dan Thurman wrote: > > It looks to me like a successful indirect connection? > > The following is taken from /var/log/httpd/access_log > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA > > HTTP/1.1" 200 5264 "-" "-" > It certainly looks that way. I see several of those kinds of GETs a day on our web servers. Not from that particular domain, but similar types of GETs. A quick google points to similar GET requests to that domain as far back as 2011, and the domain itself isn't live, just a placeholder for parked domain. - -- Mark Haney Network/Systems Administrator Practichem W: (919) 714-8428 Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64 -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5 hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ= =nqC7 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org Alternatively, one could add the following IPs to /etc/hosts.deny: ALL: 85.25.196.141 ALL: 85.25.226.154 ALL: 146.185.239.100 ALL: 185.4.227.194 ALL: 192.99.2.75 [...] This works if the IPs are static but if IPs are from a pool, dynamic, or spoofed, then one is out of luck chasing a tiger's tail? FWIW Ugh, Apache by default does not use the tcpwrappers unless recompiled. Another alternative is to append the following to /etc/httpd/conf/httpd.conf: # Blacklist order allow,deny allow from all deny from 85.25.196.141 deny from 85.25.226.154 deny from 146.185.239.100 deny from 185.4.227.194 deny from 192.99.2.75 The "deny" stuff in Apache will still show a machine at your IP address because the attempt will generate a 401 or 403 error. I would still recommend using the iptables/firewall thing so the machine simply disappears from probes using their network. Looking further at the whois data, that provider actually has a /22 network: % Information related to '185.4.224.0/22AS197328' route: 185.4.224.0/22 I'd block that whole /22 using the "-j DROP" option to iptables so your machine doesn't even respond. Better yet, block it at your router if you can. You really want your machine to disappear so you don't invite further hack attempts. My firewalls all default to "-j DROP" for unwanted access. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- -Brain: The organ with which we think that we think.- -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mai
Re: F19: Is this an httpd attack attempt?
On 03/03/2014 05:11 PM, Dan Thurman wrote: On 03/03/2014 03:25 PM, Rick Stevens wrote: On 03/03/2014 02:06 PM, eoconno...@gmail.com issued this missive: What's the best way to avoid/prevent this from happening?... Since the IP is part of a Turkish /24 network, odds are it's a hack attempt. If you don't care about servicing Turkey, you could block that IP space in your firewall. Pertinent information: inetnum:185.4.227.0 - 185.4.227.255 netname:SAYFANET descr: Istanbul DC Customer country:TR admin-c:KSM20-RIPE tech-c: KSM20-RIPE status: ASSIGNED PA mnt-by: ER101-MNT source: RIPE # Filtered ("whois 185.4.227.194" will give you the gory details), so add that /24 to your filter list. In the old days: iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP It's difficult to weed out traffic selectively unless you have the ability to do a deep packet inspection and look at the actual request. Generally that equipment costs a good deal of . - Reply message - From: "Mark Haney" To: Subject: F19: Is this an httpd attack attempt? Date: Mon, Mar 3, 2014 11:59 am -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/03/14 11:42, Dan Thurman wrote: > > It looks to me like a successful indirect connection? > > The following is taken from /var/log/httpd/access_log > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA > > HTTP/1.1" 200 5264 "-" "-" > It certainly looks that way. I see several of those kinds of GETs a day on our web servers. Not from that particular domain, but similar types of GETs. A quick google points to similar GET requests to that domain as far back as 2011, and the domain itself isn't live, just a placeholder for parked domain. - -- Mark Haney Network/Systems Administrator Practichem W: (919) 714-8428 Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64 -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5 hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ= =nqC7 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org Alternatively, one could add the following IPs to /etc/hosts.deny: ALL: 85.25.196.141 ALL: 85.25.226.154 ALL: 146.185.239.100 ALL: 185.4.227.194 ALL: 192.99.2.75 [...] This works if the IPs are static but if IPs are from a pool, dynamic, or spoofed, then one is out of luck chasing a tiger's tail? FWIW Ugh, Apache by default does not use the tcpwrappers unless recompiled. Another alternative is to append the following to /etc/httpd/conf/httpd.conf: # Blacklist order allow,deny allow from all deny from 85.25.196.141 deny from 85.25.226.154 deny from 146.185.239.100 deny from 185.4.227.194 deny from 192.99.2.75 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
On 03/03/2014 03:25 PM, Rick Stevens wrote: On 03/03/2014 02:06 PM, eoconno...@gmail.com issued this missive: What's the best way to avoid/prevent this from happening?... Since the IP is part of a Turkish /24 network, odds are it's a hack attempt. If you don't care about servicing Turkey, you could block that IP space in your firewall. Pertinent information: inetnum:185.4.227.0 - 185.4.227.255 netname:SAYFANET descr: Istanbul DC Customer country:TR admin-c:KSM20-RIPE tech-c: KSM20-RIPE status: ASSIGNED PA mnt-by: ER101-MNT source: RIPE # Filtered ("whois 185.4.227.194" will give you the gory details), so add that /24 to your filter list. In the old days: iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP It's difficult to weed out traffic selectively unless you have the ability to do a deep packet inspection and look at the actual request. Generally that equipment costs a good deal of . - Reply message - From: "Mark Haney" To: Subject: F19: Is this an httpd attack attempt? Date: Mon, Mar 3, 2014 11:59 am -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/03/14 11:42, Dan Thurman wrote: > > It looks to me like a successful indirect connection? > > The following is taken from /var/log/httpd/access_log > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA > > HTTP/1.1" 200 5264 "-" "-" > It certainly looks that way. I see several of those kinds of GETs a day on our web servers. Not from that particular domain, but similar types of GETs. A quick google points to similar GET requests to that domain as far back as 2011, and the domain itself isn't live, just a placeholder for parked domain. - -- Mark Haney Network/Systems Administrator Practichem W: (919) 714-8428 Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64 -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5 hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ= =nqC7 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org Alternatively, one could add the following IPs to /etc/hosts.deny: ALL: 85.25.196.141 ALL: 85.25.226.154 ALL: 146.185.239.100 ALL: 185.4.227.194 ALL: 192.99.2.75 [...] This works if the IPs are static but if IPs are from a pool, dynamic, or spoofed, then one is out of luck chasing a tiger's tail? FWIW -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
On 03/03/2014 02:06 PM, eoconno...@gmail.com issued this missive: What's the best way to avoid/prevent this from happening?... Since the IP is part of a Turkish /24 network, odds are it's a hack attempt. If you don't care about servicing Turkey, you could block that IP space in your firewall. Pertinent information: inetnum:185.4.227.0 - 185.4.227.255 netname:SAYFANET descr: Istanbul DC Customer country:TR admin-c:KSM20-RIPE tech-c: KSM20-RIPE status: ASSIGNED PA mnt-by: ER101-MNT source: RIPE # Filtered ("whois 185.4.227.194" will give you the gory details), so add that /24 to your filter list. In the old days: iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP It's difficult to weed out traffic selectively unless you have the ability to do a deep packet inspection and look at the actual request. Generally that equipment costs a good deal of . - Reply message - From: "Mark Haney" To: Subject: F19: Is this an httpd attack attempt? Date: Mon, Mar 3, 2014 11:59 am -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/03/14 11:42, Dan Thurman wrote: > > It looks to me like a successful indirect connection? > > The following is taken from /var/log/httpd/access_log > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA > > HTTP/1.1" 200 5264 "-" "-" > It certainly looks that way. I see several of those kinds of GETs a day on our web servers. Not from that particular domain, but similar types of GETs. A quick google points to similar GET requests to that domain as far back as 2011, and the domain itself isn't live, just a placeholder for parked domain. - -- Mark Haney Network/Systems Administrator Practichem W: (919) 714-8428 Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64 -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5 hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ= =nqC7 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - Millihelen (n): The amount of beauty required to launch one ship. - -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
What's the best way to avoid/prevent this from happening?... - Reply message - From: "Mark Haney" To: Subject: F19: Is this an httpd attack attempt? Date: Mon, Mar 3, 2014 11:59 am -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/03/14 11:42, Dan Thurman wrote: > > It looks to me like a successful indirect connection? > > The following is taken from /var/log/httpd/access_log > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA > > HTTP/1.1" 200 5264 "-" "-" > It certainly looks that way. I see several of those kinds of GETs a day on our web servers. Not from that particular domain, but similar types of GETs. A quick google points to similar GET requests to that domain as far back as 2011, and the domain itself isn't live, just a placeholder for parked domain. - -- Mark Haney Network/Systems Administrator Practichem W: (919) 714-8428 Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64 -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5 hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ= =nqC7 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F19: Is this an httpd attack attempt?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/03/14 11:42, Dan Thurman wrote: > > It looks to me like a successful indirect connection? > > The following is taken from /var/log/httpd/access_log > > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET > http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA > > HTTP/1.1" 200 5264 "-" "-" > It certainly looks that way. I see several of those kinds of GETs a day on our web servers. Not from that particular domain, but similar types of GETs. A quick google points to similar GET requests to that domain as far back as 2011, and the domain itself isn't live, just a placeholder for parked domain. - -- Mark Haney Network/Systems Administrator Practichem W: (919) 714-8428 Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64 -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5 hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ= =nqC7 -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org