Need some help on security

From: David Edwards (david_at_deassociates.com)
Date: 01/10/04

Next message: Robert Watson: "Re: Need some help on security"

Previous message: Taras Y. NIZHNIK: "Re: Need some help on security"
Next in thread: Taras Y. NIZHNIK: "Re: Need some help on security"
Reply: Taras Y. NIZHNIK: "Re: Need some help on security"
Reply: Robert Watson: "Re: Need some help on security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <freebsd-security@freebsd.org>
Date: Sat, 10 Jan 2004 17:23:39 -0500

Hello all. I am new to the list and relitively new to FreeBSD. I currently
have a server running 4.8 as a dedicated server with cPanel added as a way
to speed up the creation of sites and such on the server. I host only a
couple of site because I do this in my spare time and don't know enough to
be a paid participant in the hosting community.

Anyway, on to the question, lastnight, the server stopped responding after
someone tried to gain access to what looks to be web based printing. I am
not familiar with any firewall/IDS solutions and have looked over Snort and
IPFW today. I don't want to do IPFW because I don't want to recompile a
kernel that works and potentially lose everything I have done so far. Here
is a bit of the apache error_log which shows the issue i am refering to:

[Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not
exist: /usr/home/dbcenter/public_html/NULL.printer
[Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not
exist: /usr/local/apache/htdocs/NULL.printer
[Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not
exist: /usr/local/apache/htdocs/404.shtml
[Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not
exist: /usr/local/apache/htdocs/NULL.printer
[Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not
exist: /usr/local/apache/htdocs/404.shtml
[Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not
exist: /usr/home/seekers/public_html/NULL.printer
[Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not
exist: /usr/local/apache/htdocs/NULL.printer
[Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not
exist: /usr/home/seekers/public_html/404.shtml
[Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not
exist: /usr/local/apache/htdocs/404.shtml

I also have a few entries where they are trying to get to a command prompt
and trying to do some sort of weirdness with IIS:

[Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not
exist: /usr/local/apache/htdocs/scripts/nsiislog.dll
[Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not
exist: /usr/local/apache/htdocs/404.shtml
[Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not
exist: /usr/local/apache/htdocs/scripts/nsiislog.dll
[Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not
exist: /usr/local/apache/htdocs/404.shtml

[Thu Jan 8 07:00:07 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/scripts/root.exe
[Thu Jan 8 07:00:07 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:11 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/MSADC/root.exe
[Thu Jan 8 07:00:11 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:15 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/c/winnt/system32/cmd.exe
[Thu Jan 8 07:00:15 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:19 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/d/winnt/system32/cmd.exe
[Thu Jan 8 07:00:19 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:23 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/scripts/..%5c../winnt/system32/cmd.exe
[Thu Jan 8 07:00:23 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:28 2004] [error] [client 69.140.105.5] File does not
exist:
/usr/home/dbcenter/public_html/_vti_bin/..%5c../..%5c../..%5c../winnt/system
32/cmd.exe
[Thu Jan 8 07:00:28 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:31 2004] [error] [client 69.140.105.5] File does not
exist:
/usr/home/dbcenter/public_html/_mem_bin/..%5c../..%5c../..%5c../winnt/system
32/cmd.exe
[Thu Jan 8 07:00:31 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:36 2004] [error] [client 69.140.105.5] File does not
exist:
/usr/home/dbcenter/public_html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á
../winnt/system32/cmd.exe
[Thu Jan 8 07:00:36 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:40 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/scripts/..Á../winnt/system32/cmd.exe
[Thu Jan 8 07:00:40 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:44 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:48 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/scripts/..ŔŻ../winnt/system32/cmd.exe
[Thu Jan 8 07:00:48 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:53 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/scripts/..Áo../winnt/system32/cmd.exe
[Thu Jan 8 07:00:53 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:00:57 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/400.shtml
[Thu Jan 8 07:01:01 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/400.shtml
[Thu Jan 8 07:01:05 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/scripts/..%5c../winnt/system32/cmd.exe
[Thu Jan 8 07:01:05 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml
[Thu Jan 8 07:01:10 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/scripts/..%2f../winnt/system32/cmd.exe
[Thu Jan 8 07:01:10 2004] [error] [client 69.140.105.5] File does not
exist: /usr/home/dbcenter/public_html/404.shtml

Can anyone offer me a bif of advice on how to block such IP addresses within
FreeBSD and some sort of firewall type setup that is fairly easy and quick
to setup as well as create new filtering rules for?

Thanks in advance for any help in this matter. Also, all the missing errors
like the 404, 400 and such are now cleared up. Created the pages for the
errors.

David Edwards
david@deassociates.com

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.551 / Virus Database: 343 - Release Date: 12/11/2003
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Robert Watson: "Re: Need some help on security"

Previous message: Taras Y. NIZHNIK: "Re: Need some help on security"
Next in thread: Taras Y. NIZHNIK: "Re: Need some help on security"
Reply: Taras Y. NIZHNIK: "Re: Need some help on security"
Reply: Robert Watson: "Re: Need some help on security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: freebsd-questions Digest, Vol 52, Issue 3
... To subscribe or unsubscribe via the World Wide Web, ... bypassing a proxy server ... > As some of you may recall, I'm engaged in an ongoing saga trying to set> up a FreeBSD machine on a school's network. ...
(freebsd-questions)
Re: Question
... >I am a network manager for a small government. ... >proprietary to something like FreeBSD or linux? ... Are server needs are currently simple and we only have one NT4 server ...
(freebsd-newbies)
RE: FreeBSD Security Survey
... Your also ignoring the fact that many security holes are a lot ... queries to this server to the NAS only. ... server with a new version of FreeBSD. ... Your survey responses lack any responses that indicate that leaving ...
(freebsd-questions)
Re: freebsd reseller
... 2000 for workstations and 2000 Server for servers. ... FreeBSD and OpenBSD. ... When I try to install dvips I get the following ... >> I'm not at all familiar with firewire stuff. ...
(freebsd-questions)
Re: When Unix Stops Being Fun
... I started with FreeBSD in the Fall of 2000, when I started at Lumeta. ... loved it so much that when I built my personal server, ... of Windows, there were new idiosyncracies and more bullshit to cram into ...
(freebsd-questions)