Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Centos LogWatch - "Possible Successful Probes"

Posted on 2009-02-11
4
Medium Priority
?
2,127 Views
Last Modified: 2013-11-29
Hello,

I'm concerned about "sites probing my server" - could a security expert please review the log below and advise on what to do?  

When I enter one of the URLs directly on my browser:

http://www.mysite.com/thyme/index.php?v=events//modules/sync/export.php?export_to=../../../../../../../../../../../../../../../etc/passwd%00

I get a "normal" looking page - a calendar (thyme on joomla)

Is there a way to tell if the bad guys actually got my passwd file?

Also, I've got 2335 "unidentified other records logged" (see below) - could this be caused by some kind of automated script? Any idea what they're trying to do?  Cross-site scripting? or "just a" DOS attack?

Would appreciate any advice!  Thanks




 ################### LogWatch 5.2.2 (06/23/04) ####################
      Processing Initiated: Wed Feb 11 04:02:06 2009
      Date Range Processed: yesterday
    Detail Level of Output: 0
         Logfiles for Host: ********
 ################################################################

 --------------------- httpd Begin ------------------------


A total of 7 sites probed the server
 85.92.86.213
 204.11.17.16
 91.121.24.179
 140.247.115.169
 82.201.244.196
 209.172.33.230
 124.217.242.70

!!!! 7 possible successful probes
 /thyme/index.php?v=events//modules/sync/export.php?export_to=../../../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200
 /thyme/index.php?v=events//modules/sync/export.php?export_to=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200
 /thyme/index.php?module=sync//modules/sync/export.php?export_to=../../../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200
 /thyme/index.php?module=sync//modules/sync/export.php?export_to=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200
 /thyme//modules/sync/export.php?export_to=../../../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200
 /thyme//modules/sync/export.php?export_to=../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200
 /thyme/modules/sync/export.php?export_to=../../../../../../../../../../../proc/self/environ%00 HTTP Response 200

A total of 2335 unidentified 'other' records logged
 GET http://202.86.7.119/config/isp_verify_user?l=_blackdeath_&p=_black HTTP/1.0 with response code(s) 404 1 responses
 GET http://209.191.92.85/config/isp_verify_user?l=_clow_&p=_CLO HTTP/1.0 with response code(s) 404 1 responses
 GET http://217.146.187.16/config/isp_verify_user?l=tucker_81&p=ER_811 HTTP/1.0 with response code(s) 404 1 responses
 GET http://e24.edit.cnb.yahoo.com/config/isp_verify_user?l=seel91&p=pika HTTP/1.0 with response code(s) 404 1 responses
 GET http://124.108.97.193/config/isp_verify_user?l=__mark_henry__&p=__mar__mar1 HTTP/1.0 with response code(s) 404 1 responses
 GET http://124.108.97.193/config/isp_verify_user?l=_laser_12&p=_las HTTP/1.0 with response code(s) 404 1 responses
 GET http://66.163.169.178/config/isp_verify_user?l=muk11&p=trainer HTTP/1.0 with response code(s) 404 1 responses

[...]

0
Comment
Question by:5thG
  • 2
  • 2
4 Comments
 
LVL 15

Expert Comment

by:xmachine
ID: 23625191
Hi,

Based on the response code, it obvious that it's possible to download the "passwd" file, since the returned code = 200 (OK) which means "The request has succeeded" !

The other code (404) means "File not found" ... the requested files don't exist on your server. It's clearly a website scanning attack.

You should consider deploying a web application firewall like Apache Mod_Sec.

See the following reviews:

http://www.networkworld.com/reviews/2003/0818rev2.html

http://www.crn.com/it-channel/186700845

A Symantec Certified Specialist @ your service

0
 

Author Comment

by:5thG
ID: 23626465
Thank you for your response.

If I input  the URL directly in the browser I get a "normal" page (and therefore response code 200), but I don't see any passwd file details.

But you're saying it IS possible to get the passwd file this way, maybe with a differently crafted URL?  I gather this HAS been successfully done?  Any advice on how we might prevent Apache from serving up that file, perhaps via permissions, e.g. chmod 600 to remove group and others from accessing?

And, yes - the high number of 404s told me it is some kind of scanning attack, but I wanted to hear it from an expert!

Will definitely check out web app firewalls - thank you for the links.  I assumeApache Mod_Sec is open-source, and the one in the review are commercial ones?  Which of the commercials web app firewalls do you recommend?

Thanks again.


0
 
LVL 15

Accepted Solution

by:
xmachine earned 2000 total points
ID: 23626574
0
 

Author Comment

by:5thG
ID: 23627617
Thanks for the info and links.  mod_security seems fairly easy to set up, and it can be configured to deny attempts to get the passwd file - exactly what we needed..

0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question