[ale] apache recovery
James P. Kinney III
jkinney at localnetsolutions.com
Thu Sep 19 07:37:53 EDT 2002
Hi Robert,
There are a bazillion worms that infest windoze IIS machines and you got
clobbered by one of them. I put a cron job on my server that looks for
some SOB trying to find cmd.exe. I then add them to my firewall blocked
list.
I've enclosed my script.
On Thu, 2002-09-19 at 00:12, Robert E. Karaffa, II wrote:
> Hi folks,
> Our little apache web server (Mandrake 8.0) was brought down yesterday by a
> bot, I think. It was looking for a Windows box to infest, and not finding one,
> it instead filled up our root partition with log entries until it was full,
> thus rendering our server useless. Here's some log entries from /var/log/http:
>
> [Sun Sep 1 10:30:37 2002] [error] [client 66.77.73.236] File does not exist: /
> var/www/html/robots.txt
> [Mon Sep 2 01:03:47 2002] [error] [client 170.140.204.127] File does not
> exist: /var/www/html/robots.txt
> [Mon Sep 2 07:54:01 2002] [error] [client 24.214.140.223] Invalid method in
> request /
> [Sat Sep 7 17:24:30 2002] [error] [client 217.235.10.17] File does not exist:
> /var/www/html/scripts/..¿Ø../winnt/system32/cmd.exe
> [Sat Sep 7 20:49:42 2002] [error] [client 212.185.249.88] File does not exist:
> /var/www/html/request/failed/index_failed.htm
> [Sun Sep 8 01:04:20 2002] [error] [client 170.140.204.127] File does not
> exist: /var/www/html/robots.txt
> [Sun Sep 8 08:43:25 2002] [error] [client 200.158.124.149] Client sent
> malformed Host header
> [Sun Sep 8 09:08:29 2002] [error] [client 66.1.110.186] Client sent malformed
> Host header
> [Sun Sep 8 12:36:39 2002] [error] [client 204.253.57.44] File does not exist:
> /var/www/html/scripts/..%5c%5c../winnt/system32/cmd.exe
> [Mon Sep 9 01:06:03 2002] [error] [client 170.140.204.127] File does not
> exist: /var/www/html/robots.txt
>
> I'm too dumb to figure out just what happened. It DID happen over a period of
> time, not just yesterday. So, we're trying to recover as best we can, and I've
> some questions for you gurus in ale.org land:
>
> -I don't think we'll have to reinstall our OS...but I'm not confident of that
> quite yet.
> -we used this box for ftp server, web server, and AppleShareIP server. It
> therefore contains alot of user information that we'd like to keep. Can
> anybody tell me how to restore the users and groups list if we do indeed re-
> install? I'm surfing the net for help, so I'd appreciate any feedback from any
> of you.
>
> -Is it as easy as copying the passwd file and .htaccess? Am I close? The
> accounts that have been created over the past couple of years of use we would
> like not to lose. The data in the accounts is not that critical, as we can
> easily back that up and restore it properly.
>
> Here's the entry in /var/log/http/error.log that caught our attention:
>
> [Sat Sep 14 11:14:08 2002] [error] [client 216.1.217.140] File does not exist:
> /var/www/html/galaxy_7171.7517
>
>
> Anybody know what "galaxy_7171.7157" is?
>
> Interestingly enough, last night I was doing some reading on grc.com. The saga
> of the DoS attack by the 13-yr old script kiddie made for good reading. Does
> it look like we were attacked by this method?
>
> Thanks for any help anybody can render.
>
>
>
>
>
> --
> -Bob K.
>
> **************************
> Robert E. Karaffa, II
> Technical Director
> Emory University
> Flow Cytometry Core Facility
> 1365 B Clifton Rd., Room B5133
> Atlanta, Ga 30322
> voice: 404/712-4429
> e-mail: rkaraff at emory.edu
> **************************
>
>
> --
> -Bob K.
>
> **************************
> Robert E. Karaffa, II
> Technical Director
> Emory University
> Flow Cytometry Core Facility
> 1365 B Clifton Rd., Room B5133
> Atlanta, Ga 30322
> voice: 404/712-4429
> e-mail: rkaraff at emory.edu
> **************************
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
--
James P. Kinney III \Changing the mobile computing world/
President and CEO \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
#!/usr/bin/perl
# This is for extracting the Micro$oft boxes that have been compromised
# and blocking their access to the webserver for several weeks
######################################
# Copyright Notice
#
# This program, web-block.pl is
# Copyright 2001
# Local Net Solutions, LLC
# 4003 Allenwood Way
# Tucker GA 30084
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# The full text of the license can be found online at http://www.gnu.org/licenses/gpl.txt
######################################
######################################
# Instructions for use
#
# This program should be copied into a convenient location
# such as /usr/local/sbin and the owner is root and the mode is 500.
# As this sript will access an iptables firewall, it must have root priveledges.
# Create a file /etc/hosts.web.deny. e.g. touch /etc/hosts.web.deny as root.
# It can also be set to run on a cron job. e.g.
# */20 * * * * /usr/local/sbin/web-block.pl
# this will run every 20 minutes. It will only check the the most recent error_log
#
# If it is run as <path>/web-block.pl all , it will check all the error_logs,
# even the older, saved ones, up to error_log.4. This is for allowing aged IP's
# to no longer be blocked.
# It is a good idea to add this to the webserver log rotation process. On a RedHat 7.1
# machine, edit /etc/logrotate.d/apache to look like:
# /var/log/httpd/error_log {
# missingok
# postrotate
# /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
# /root/web-block.pl all
# endscript
# }
# Now it is pretty automatic.
#
# To Do:
# add a web-block.pl off argument flag
# add an external file for exploit strings to search for.
# be nicer on the firewall and only block the port 80 from the machines.
# add an automailer to send complaints to the network mangers the offenders are on (yeah, right!).
#
######################################
use strict;
# the file with the data is
my $log = "/var/log/httpd/error_log";
# old log files add a .i i=1..4
# the place to store the output IP's to block
my $dropfile = "/etc/hosts.web.deny";
# strings to search for in the log file
my @strings = ("winnt", "cmd.exe", "root.exe");
# create a hash of the already blocked IP's
my ($key, %dropped, %filed, %block_these, %blocked, $in, @IN, $logfile, $j);
# Accept args to search all log files
my $log_depth = "0";
my $all = $ARGV[0];
#print "arg = $all\n";
if ($all =~ m/all/){$log_depth = "4"}
%filed = get_filed_hosts();
%block_these = get_hosts_to_block();
%dropped = iptables_firewall_check();
if ($log_depth == 4){
foreach $key (keys %filed){ # removes old IP's from blacklist
if ($block_these{$key} !~ "drop"){delete $filed{$key}}
}
write_drop_file();
}
else{ # Should handle a restart OK
foreach $key (keys %filed){ # add all filed IP for blocking.
if ($block_these{$key} !~ "drop"){$block_these{$key} = "drop"}
}
write_drop_file();
}
foreach $key (keys %dropped){
delete $block_these{$key} #no duplicate filter rules
}
# Do the deed
foreach $key (keys %block_these){
if ($key =~ m/\d+\.\d+\.\d+\.\d+/){
`/sbin/iptables -I INPUT -s $key -j DROP`;
}
}
#################################
## Subroutines
#################################
sub get_filed_hosts{
# create a hash of the already blocked IP's
open (IN, "<$dropfile") || die "Failed to open $dropfile for read\n";
@IN = <IN>;
close IN;
chomp(@IN);
foreach $in (@IN) {
$filed{$in}="filed";
}
}
sub write_drop_file{
my $key;
open (OUT, ">$dropfile") || die "failed to open $dropfile for write\n";
foreach $key ( keys %blocked ){
if ($key =~ m/\d+\.\d+\.\d+\.\d+/){
print OUT "$key\n";
}
}
close OUT;
}
sub get_hosts_to_block { # generate list of IP's to block from httpd log files
# open logfile and stuff into an array for string searching
my (@temp, $match, $i, %block_these);
for ($j=0; $j<=$log_depth; $j++){
if ($j == 0){$logfile=$log}
else {$logfile = $log.".$j"}
if ( -r $logfile){
open (IN, "<$logfile") || die "failed to open $logfile for read\n";
@IN=<IN>;
chomp(@IN);
close IN;
}
for ($i=0;$i<=$#strings;$i++){
$match .= $strings[$i];
if ($i != $#strings) {$match .= "|"}
}
foreach $in (@IN){
if ($in =~ m/$match/){
@temp = split( /\s/, $in);
# $temp[8] has ip address pluss and extra "]" on the end.
chop($temp['8']);
$block_these{$temp['8']} = "drop";
}
}
}
return %block_these;
} #end sub host_block
sub iptables_firewall_check { #get list of IP's currently blocked
my (@rules, %temp, @dropped, $IP);
@rules = `/sbin/iptables -L INPUT -n | grep DROP | grep -v INPUT`;
chomp(@rules);
my (@temp);
foreach my $rule (@rules){
#print "$rule\n";
@temp = split (/\s+/, $rule);
#print "IP=$temp[3]\n";
if ($temp[3] =~ m/\d+\.\d+\.\d+\.\d+/){
push (@dropped, $temp[3]);
}
}
foreach $IP (@dropped){
#print "dropped IP -> $IP\n";
$temp{$IP} = "FW";
}
return %temp;
}
This is a digitally signed message part
More information about the Ale
mailing list