Home page logo
/

basics logo Security Basics mailing list archives

RE: apache security newbie
From: "Vladimir Luna" <vladimir.luna () gmail com>
Date: Tue, 7 Jun 2005 09:53:37 +0200

This seams as 'usual' scans for exploit of awstats.pl 
The most used exploits that i have come by is hacks done  on awstats.pl
phpbb´s and on ikonboard why its important to update these often, and
look if some new security issue has come around regarding those.
regarding the phpbb; It is often a PHP/phpbb overflow exploit. They gets
an irc bot uploaded into /tmp and uses one of the users to execute it;
Being able to execute it using webserver nobody:nobody permissions. They
then uses the ircbot to ddos around. 
Its also known that  That systems are often compromised through a Remote
Command Execution Vulnerability in awstats 6.1: (or other versions) as
explaned on; 
http://www.idefense.com/application/poi/display?id=185&type=vulnerabilit
ies&flashstatus=true 

This last one is what it seams that they were scanning for in your
system to try to exploit. 
Many times the site from where the scan is being done is compromised
machine aswell. I usally reports them back to the isp, wich i recommend
that you do. 

Best regards, 

_______________________________________
            Vladimir Luna 
    Mail: vladimir.luna () gmail com
________________________________________


-----Original Message-----
From: voyager123bg () gmail com [mailto:voyager123bg () gmail com] 
Sent: Sunday, June 05, 2005 11:40 PM
To: security-basics () securityfocus com
Subject: apache security newbie


Hello out there, I am new to apache world (I've been running 
home server for about 2 months), and recently did a logcheck
Here are some strange results: (access_log)
213.240.2.91 - - [07/May/2005:03:12:06 +0300] "POST 
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 327
84.150.8.164 - - [07/May/2005:04:44:38 +0300] "POST 
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 327
(I guess this doesn't concern me, since I use linux :))
213.240.62.9 - - [03/Jun/2005:22:44:51 +0300] "SEARCH 
/\x90\xc9\xc9\xc9\xc9\xc9...... several screens with 
bullshits (buffer overflow?)
68.50.20.116 - - [05/Jun/2005:06:48:24 +0300] "GET 
/cgi-bin/awstats.pl HTTP/1.0" 404 304
68.50.20.116 - - [05/Jun/2005:06:48:27 +0300] "GET 
/cgi-bin/awstats.pl HTTP/1.0" 404 304
(ofcourse it would return 404 - my cgi-bin is empty)
67.161.103.40 - - [05/Jun/2005:09:47:50 +0300] "GET 
http://proxyking.servehttp.com:8080/pk/service> ?service=Echo 
HTTP/1.0" 404 296      (wtf is this? someone 
trying to use my webserver as proxy?)
80.246.2.154 - - [05/Jun/2005:17:21:54 +0300] 
"\x15>6\xf4\x05\x89C\x03\x8e\xf6\xca\x0c\xbaF\x06\x88" 400 -
-- last line looks like someone is trying to exploit some 
vulnerability in apache... or i am wrong?
I've also seen numerous attempts to login thru ssh to the 
same box, fortunately unsucsessful. Guess it is the kidies 
work, for the traces in logs were too many, and too obvious, 
and unsuccessful.
However, I did what i had to (or i think so :)) - I scanned 
the machine from the internet, it is clean (no "unknown" 
ports were open). Since i am new to computer security i would 
like to recieve some advices on what are the best practicies 
in the area (how often to look in log files, for ex.). What 
good logrotating programs are there, and is out there some 
(good) introduction to LIDS, and where could i read how to 
secure my desktop maximum w/o giving the usability of the 
system. Oh, and not last... how do we figure out whether our 
host is compromised? (I mean...  is regular logchecking enough?)
Thanks for the help in advance.
Nik.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault