Hack attempt

Hack attempt

Post by Mike » Tue, 24 Dec 2002 02:37:30



I want to show everyone some logs and see if you know the hack they are
trying so I can see if they got in.

I supected something when apache was not running this morning. I have
left the box shutdown for now.

Thanks for you insight.

Here are the logs.

[Sun Dec 22 03:46:48 2002] [error] [client 218.72.1.250] File does not
exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../win
nt/system32/cmd.exe
[Sun Dec 22 03:46:50 2002] [error] [client 218.72.1.250] File does not
exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../win
nt/system32/cmd.exe
[Sun Dec 22 03:46:51 2002] [error] [client 218.72.1.250] File does not
exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..../..
../..../winnt/system32/cmd.exe
[Sun Dec 22 03:46:53 2002] [error] [client 218.72.1.250] File does not
exist: /var/www/html/scripts/..../winnt/system32/cmd.exe
[Sun Dec 22 03:46:59 2002] [error] [client 218.72.1.250] File does not
exist: /var/www/html/scripts/..../winnt/system32/cmd.ex
e
[Sun Dec 22 03:47:01 2002] [error] [client 218.72.1.250] File does not
exist: /var/www/html/scripts/..?../winnt/system32/cmd.exe
[Sun Dec 22 03:47:06 2002] [error] [client 218.72.1.250] File does not
exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.e
xe
[Sun Dec 22 03:47:10 2002] [error] [client 218.72.1.250] File does not
exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.e
xe
[Sun Dec 22 04:02:07 2002] [warn] child process 32670 did not exit,
sending another SIGHUP
[Sun Dec 22 04:02:07 2002] [warn] child process 314 did not exit,
sending another SIGHUP
[Sun Dec 22 04:02:07 2002] [warn] child process 347 did not exit,
sending another SIGHUP
[Sun Dec 22 04:02:07 2002] [warn] child process 2252 did not exit,
sending another SIGHUP
[Sun Dec 22 04:02:07 2002] [warn] child process 4780 did not exit,
sending another SIGHUP
[Sun Dec 22 04:02:08 2002] [notice] SIGHUP received.  Attempting to restart
Syntax error on line 214 of /etc/httpd/conf/httpd.conf:
Cannot load /etc/httpd/modules/mod_log_config.so into server:
/etc/httpd/modules/mod_log_config.so: undefined symbol: ap_escape_
logitem
[Sun Dec 22 11:36:57 2002] [warn] pid file /var/run/httpd.pid
overwritten -- Unclean shutdown of previous Apache run?
[Sun Dec 22 11:36:57 2002] [notice] Apache/1.3.27 (Unix)
(Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl
/1.26 configured -- resuming normal operations
[Sun Dec 22 11:36:57 2002] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Sun Dec 22 11:36:57 2002] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Sun Dec 22 12:24:17 2002] [notice] caught SIGTERM, shutting down

 
 
 

Hack attempt

Post by tedd » Tue, 24 Dec 2002 03:26:00



> I want to show everyone some logs and see if you know the hack they are
> trying so I can see if they got in.

Nope. its an old IIS bug the worm/scriptkiddie (hey, they both are about as
smart...) is trying to exploit

Quote:> I supected something when apache was not running this morning. I have
> left the box shutdown for now.

You have an error in your config file...

Quote:> [Sun Dec 22 03:46:48 2002] [error] [client 218.72.1.250] File does not
> exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../win
> nt/system32/cmd.exe

See how they're trying to access winnt/system32 ?

Quote:> [Sun Dec 22 04:02:07 2002] [warn] child process 4780 did not exit,
> sending another SIGHUP
> [Sun Dec 22 04:02:08 2002] [notice] SIGHUP received.  Attempting to
restart
> Syntax error on line 214 of /etc/httpd/conf/httpd.conf:
> Cannot load /etc/httpd/modules/mod_log_config.so into server:
> /etc/httpd/modules/mod_log_config.so: undefined symbol: ap_escape_
> logitem

hmm, okay so apache seemed to crash pretty hard here.... its probably worth
trying to figure out why this happened. its no hack attempt as far as the
logs show.

Quote:> [Sun Dec 22 11:36:57 2002] [warn] pid file /var/run/httpd.pid
> overwritten -- Unclean shutdown of previous Apache run?
> [Sun Dec 22 11:36:57 2002] [notice] Apache/1.3.27 (Unix)
> (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl
> /1.26 configured -- resuming normal operations
> [Sun Dec 22 11:36:57 2002] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> [Sun Dec 22 11:36:57 2002] [notice] Accept mutex: sysvsem (Default:
sysvsem)
> [Sun Dec 22 12:24:17 2002] [notice] caught SIGTERM, shutting down

This looks like when you started it up again. no configuration errors... if
you didn't change something it might be worthwhile to double check that your
memory and disks are good. unless someone else knows why undefined symbols
can appear out of nowhere

Ted

 
 
 

Hack attempt

Post by Mike » Tue, 24 Dec 2002 09:21:06


I was worried about the SIGHUP getting through. Is that normal?

Mike



>>I want to show everyone some logs and see if you know the hack they are
>>trying so I can see if they got in.

> Nope. its an old IIS bug the worm/scriptkiddie (hey, they both are about as
> smart...) is trying to exploit

>>I supected something when apache was not running this morning. I have
>>left the box shutdown for now.

> You have an error in your config file...

>>[Sun Dec 22 03:46:48 2002] [error] [client 218.72.1.250] File does not
>>exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../win
>>nt/system32/cmd.exe

> See how they're trying to access winnt/system32 ?

>>[Sun Dec 22 04:02:07 2002] [warn] child process 4780 did not exit,
>>sending another SIGHUP
>>[Sun Dec 22 04:02:08 2002] [notice] SIGHUP received.  Attempting to

> restart

>>Syntax error on line 214 of /etc/httpd/conf/httpd.conf:
>>Cannot load /etc/httpd/modules/mod_log_config.so into server:
>>/etc/httpd/modules/mod_log_config.so: undefined symbol: ap_escape_
>>logitem

> hmm, okay so apache seemed to crash pretty hard here.... its probably worth
> trying to figure out why this happened. its no hack attempt as far as the
> logs show.

>>[Sun Dec 22 11:36:57 2002] [warn] pid file /var/run/httpd.pid
>>overwritten -- Unclean shutdown of previous Apache run?
>>[Sun Dec 22 11:36:57 2002] [notice] Apache/1.3.27 (Unix)
>>(Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl
>>/1.26 configured -- resuming normal operations
>>[Sun Dec 22 11:36:57 2002] [notice] suEXEC mechanism enabled (wrapper:
>>/usr/sbin/suexec)
>>[Sun Dec 22 11:36:57 2002] [notice] Accept mutex: sysvsem (Default:

> sysvsem)

>>[Sun Dec 22 12:24:17 2002] [notice] caught SIGTERM, shutting down

> This looks like when you started it up again. no configuration errors... if
> you didn't change something it might be worthwhile to double check that your
> memory and disks are good. unless someone else knows why undefined symbols
> can appear out of nowhere

> Ted

 
 
 

Hack attempt

Post by tedd » Tue, 24 Dec 2002 10:10:33



> I was worried about the SIGHUP getting through. Is that normal?

SIGHUP (aka SIGnal Hang UP) is sent on the local system. For daemons like
inetd it basically means "reread the config file". I *think* its the same
for apache, but i'm not sure... actually, maybe its not.

but at any rate, it can't be done remotely. So unless your machine is
/already/ comprimised, its just an oddity. anyone know what might send
apache SIGHUP?

oh, and trim your posts :)

Ted

 
 
 

Hack attempt

Post by Davi » Tue, 24 Dec 2002 10:18:20



> SIGHUP (aka SIGnal Hang UP) is sent on the local system. For daemons like
> inetd it basically means "reread the config file". I *think* its the same
> for apache, but i'm not sure... actually, maybe its not.

> but at any rate, it can't be done remotely. So unless your machine is
> /already/ comprimised, its just an oddity. anyone know what might send
> apache SIGHUP?

At 04:02 AM  could it be the cron job for the syslog rotation
possibly?

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

Hack attempt

Post by Mike » Tue, 24 Dec 2002 11:33:54


It was a cron job for the SIGHUP signal. I guess Apache just crashed I
will try to find out what caused it.

Thanks for you comments

Mike



>> SIGHUP (aka SIGnal Hang UP) is sent on the local system. For daemons like
>> inetd it basically means "reread the config file". I *think* its the same
>> for apache, but i'm not sure... actually, maybe its not.

>> but at any rate, it can't be done remotely. So unless your machine is
>> /already/ comprimised, its just an oddity. anyone know what might send
>> apache SIGHUP?

> At 04:02 AM  could it be the cron job for the syslog rotation possibly?

 
 
 

Hack attempt

Post by Davi » Tue, 24 Dec 2002 13:24:20



> It was a cron job for the SIGHUP signal. I guess Apache just crashed I
> will try to find out what caused it.

What is line 214 in the http.conf file??

[Sun Dec 22 04:02:08 2002] [notice] SIGHUP received.  Attempting
to restart
Syntax error on line 214 of /etc/httpd/conf/httpd.conf:
Cannot load /etc/httpd/modules/mod_log_config.so into server:
/etc/httpd/modules/mod_log_config.so: undefined symbol: ap_escape_
logitem

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

Hack attempt

Post by Mike » Tue, 24 Dec 2002 14:01:24


This is line 214 of the httpd.conf file.

LoadModule config_log_module  modules/mod_log_config.so

I couldn't see anything wrong with it. I was going to reload apache to
see what diff output was.

Thanks for the help.

Mike



>> It was a cron job for the SIGHUP signal. I guess Apache just crashed I
>> will try to find out what caused it.

> What is line 214 in the http.conf file??

> [Sun Dec 22 04:02:08 2002] [notice] SIGHUP received.  Attempting to restart
> Syntax error on line 214 of /etc/httpd/conf/httpd.conf:
> Cannot load /etc/httpd/modules/mod_log_config.so into server:
> /etc/httpd/modules/mod_log_config.so: undefined symbol: ap_escape_
> logitem

 
 
 

Hack attempt

Post by Davi » Tue, 24 Dec 2002 15:31:30



> This is line 214 of the httpd.conf file.

> LoadModule config_log_module  modules/mod_log_config.so

> I couldn't see anything wrong with it. I was going to reload apache to
> see what diff output was.

--snip--

Quote:>> Syntax error on line 214 of /etc/httpd/conf/httpd.conf:
>> Cannot load /etc/httpd/modules/mod_log_config.so into server:
>> /etc/httpd/modules/mod_log_config.so: undefined symbol: ap_escape_
>> logitem

The line looks right but where does the "undefined symbol:
ap_escape_logitem"  come from?

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

Hack attempt

Post by Mike » Tue, 24 Dec 2002 15:59:12


I don't know. I could run Log rotate and see if I get the same error.
That is the cron job that caused the SIGHUPs.

Mike



>> This is line 214 of the httpd.conf file.

>> LoadModule config_log_module  modules/mod_log_config.so

>> I couldn't see anything wrong with it. I was going to reload apache to
>> see what diff output was.

> --snip--

>>> Syntax error on line 214 of /etc/httpd/conf/httpd.conf:
>>> Cannot load /etc/httpd/modules/mod_log_config.so into server:
>>> /etc/httpd/modules/mod_log_config.so: undefined symbol: ap_escape_
>>> logitem

> The line looks right but where does the "undefined symbol:
> ap_escape_logitem"  come from?

 
 
 

Hack attempt

Post by Edin Dizdarevi » Tue, 24 Dec 2002 22:00:35


Hi,

You've had damn luck until now but you should update
your OpenSSL libs and recompile mod_SSL immidiately!

Take a look here:

http://www.openssl.org/news/secadv_20020730.txt

Quote:> [Sun Dec 22 11:36:57 2002] [notice] Apache/1.3.27 (Unix) (Red-Hat/Linux)
> mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl

Regards,

Edin_

--
Sicherheit gibt es nicht umsonst - zu keiner Zeit und nirgendwo!
(Das BSI IT-Sicherheitshandbuch)

 
 
 

Hack attempt

Post by Sundial Service » Wed, 25 Dec 2002 01:27:07



> I want to show everyone some logs and see if you know the hack they are
> trying so I can see if they got in.

> I supected something when apache was not running this morning. I have
> left the box shutdown for now.

> Thanks for you insight.

> Here are the logs.

> [Sun Dec 22 03:46:48 2002] [error] [client 218.72.1.250] File does not
> exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../win
> nt/system32/cmd.exe

A script-kiddie trying a well-known Microsoft IIS exploit that is completely
ignored by Apache...

Quote:> [Sun Dec 22 04:02:07 2002] [warn] child process 32670 did not exit,
> sending another SIGHUP

Slightly unusual .. maybe a denial-of-service attempt or maybe just one of
those things you see periodically.  Apache periodically kills and restarts
its children.

Quote:> [Sun Dec 22 04:02:08 2002] [notice] SIGHUP received.  Attempting to
> [restart
> Syntax error on line 214 of /etc/httpd/conf/httpd.conf:
> Cannot load /etc/httpd/modules/mod_log_config.so into server:
> /etc/httpd/modules/mod_log_config.so: undefined symbol: ap_escape_
> logitem
> [Sun Dec 22 11:36:57 2002] [warn] pid file /var/run/httpd.pid
> overwritten -- Unclean shutdown of previous Apache run?
> [Sun Dec 22 11:36:57 2002] [notice] Apache/1.3.27 (Unix)
> (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl
> /1.26 configured -- resuming normal operations
> [Sun Dec 22 11:36:57 2002] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)

This looks like your own doings, isn't it?  Maybe you restarted Apache when
you first noticed this problem?  The message about "mod_log_config" could
have been broken for a long time ... check your earliest logs.

Quote:> [Sun Dec 22 11:36:57 2002] [notice] Accept mutex: sysvsem (Default:
> [sysvsem) Sun Dec 22 12:24:17 2002] [notice] caught SIGTERM, shutting down

And this would be when you shut down the server last night.

I don't see anything in this log that are /de/ /facto/ evidence that you
were in fact "hacked."

 
 
 

Hack attempt

Post by Mike » Wed, 25 Dec 2002 16:30:42


I have a standard Redhat Distro updated with all Redhat's updates. Maybe
they backported that fix. I will verify it.

Thanks for the link

Mike


> Hi,

> You've had damn luck until now but you should update
> your OpenSSL libs and recompile mod_SSL immidiately!

> Take a look here:

> http://www.openssl.org/news/secadv_20020730.txt

>> [Sun Dec 22 11:36:57 2002] [notice] Apache/1.3.27 (Unix)
>> (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2
>> mod_perl

> Regards,

> Edin_

 
 
 

1. Apache - Attempt hack attempt?

On one of our Apache WWW servers, we have started to notice lot of
activity where people are starting to access URLs in a strange manner.

For example:

        Normal URL:
                /blah/foo/bar.html

        What they are calling:
                /blah/../foo/../foo/../foo/bar.html

This has been happening from a number of different sites (some of which
are AOL), and I assume they are attempting to hack the site in some
manner (like it is possible to do on NT WWW servers) as this goes on for
up to 5 hours from a single user, calling 1 URL per second.

Is there any way to prevent knobheads like this doing such a thing?
And what are they trying to achieve??

Thanks.
Richard

--
-----------------------------------------------------------------

Beam Software         +61-3-9866-8300 x212      ICQ Pager:1231216
-----------------------------------------------------------------

2. No Web Access for Linuxconf

3. Possible Hack Attempt?

4. running Motif with no xterms...?

5. Hack Attempt Foiled by Linux Box??

6. help: X - looking for server for i740 video card

7. Hack attempt? /_vti_bin/_vti_aut/fp30reg.dll

8. Buying an Oxygen GVX1 X server worth it???

9. Hack-attempt

10. Apache log entries - hack attempt ?

11. Logging hack attempts

12. howto determine souce of hack attempt

13. Monitor hack attempts???