Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Support » my server was attacked

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

my server was attacked


Posted by RudiX on March 10, 2005 10:48:09

my server was attacked for 90 minutes every second from the same IP with following strings (part of the apache error_log):

[Tue Mar 1 18:28:31 2005] [error] [client 84.132.144.34] Invalid URI in request GET /scripts/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Tue Mar 1 18:28:34 2005] [error] [client 84.132.144.34] Invalid URI in request GET /cgi-bin/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Tue Mar 1 18:28:34 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/scripts/index.php
[Tue Mar 1 18:28:35 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/cgi-bin/index.php
[Tue Mar 1 18:28:36 2005] [error] [client 84.132.144.34] Invalid URI in request GET /ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Tue Mar 1 18:28:36 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/scripts/index.php
[Tue Mar 1 18:28:37 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/cgi-bin/index.php
[Tue Mar 1 18:28:38 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/iisprotect/admin/SiteAdmin.ASP
[Tue Mar 1 18:28:38 2005] [error] [client 84.132.144.34] Invalid URI in request GET /scripts/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.0
[Tue Mar 1 18:28:38 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/iisprotect/admin/SiteAdmin.ASP
[Tue Mar 1 18:28:39 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/iisprotect/admin/SiteAdmin.ASP
[Tue Mar 1 18:28:39 2005] [error] [client 84.132.144.34] Invalid URI in request GET /cgi-bin/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.0
[Tue Mar 1 18:28:40 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/iisprotect/admin/SiteAdmin.ASP
[Tue Mar 1 18:28:40 2005] [error] [client 84.132.144.34] Invalid URI in request GET /ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.0
[Tue Mar 1 18:28:43 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/scripts/Webnews.exe
[Tue Mar 1 18:28:44 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/cgi-bin/Webnews.exe
[Tue Mar 1 18:28:44 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/Webnews.exe
[Tue Mar 1 18:28:47 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/scripts/Webnews.exe
[Tue Mar 1 18:28:47 2005] [error] [client 84.132.144.34] File does not exist: /usr/local/pd-admin2/htdocs/cgi-bin/Webnews.exe
[Tue Mar 1 18:28:48 2005] [error] [client 84.132.144.34] script not found or unable to stat: /usr/local/pd-admin2/htdocs/ans.pl

my questions are:
[1] when I get attacked next time, how could I stop such attacks and refuse such connections?
[2] where and what ruleset must I use to react to such things or is it implemented by the "web-attacks.rules"?

The liveserver is a debian-system with own hardened kernel by grsecurity. I think nothing happens, but the performance of the server was very slow at the time of attack.

I have compiled snort with the --enable-flexresp2 option on a test-machine before I install it on my live-server.


best regards, RudiX

Posted by nigel on March 17, 2005 04:51:47

This looks like an automated script, most probably some other box is infected with something or someone owns another box and has a script running to try and get another box. This isn't a targeted attack against your machine in particular, I'd wager it is traversing your netblock.

You can always inform the person responsible for that machine about the incidents and you can certainly always contact the ISP responsible for the netblock that box lives in.

As for blocking or reacting, that's up to you. That's not something I recommend. You can also look at mod_security for your Apache installation which may give you extra protection for your Apache installation. There's always the possibility of running snort in inline mode too.

--
Nigel
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.