Hello all. I am new to the list and relitively new to FreeBSD. I currently have a server running 4.8 as a dedicated server with cPanel added as a way to speed up the creation of sites and such on the server. I host only a couple of site because I do this in my spare time and don't know enough to be a paid participant in the hosting community. Anyway, on to the question, lastnight, the server stopped responding after someone tried to gain access to what looks to be web based printing. I am not familiar with any firewall/IDS solutions and have looked over Snort and IPFW today. I don't want to do IPFW because I don't want to recompile a kernel that works and potentially lose everything I have done so far. Here is a bit of the apache error_log which shows the issue i am refering to: [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/dbcenter/public_html/NULL.printer [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/seekers/public_html/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/seekers/public_html/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml I also have a few entries where they are trying to get to a command prompt and trying to do some sort of weirdness with IIS: [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/scripts/nsiislog.dll [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/404.shtml [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/scripts/nsiislog.dll [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/404.shtml [Thu Jan 8 07:00:07 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/root.exe [Thu Jan 8 07:00:07 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:11 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/MSADC/root.exe [Thu Jan 8 07:00:11 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:15 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/c/winnt/system32/cmd.exe [Thu Jan 8 07:00:15 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:19 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/d/winnt/system32/cmd.exe [Thu Jan 8 07:00:19 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:23 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%5c../winnt/system32/cmd.exe [Thu Jan 8 07:00:23 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:28 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/_vti_bin/..%5c../..%5c../..%5c../winnt/system 32/cmd.exe [Thu Jan 8 07:00:28 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:31 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/_mem_bin/..%5c../..%5c../..%5c../winnt/system 32/cmd.exe [Thu Jan 8 07:00:31 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:36 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/msadc/..%5c../..%5c../..%5c/..? ../..? ../..? ../winnt/system32/cmd.exe [Thu Jan 8 07:00:36 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:40 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..? ../winnt/system32/cmd.exe [Thu Jan 8 07:00:40 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:44 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:48 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..??../winnt/system32/cmd.exe [Thu Jan 8 07:00:48 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:53 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..?o../winnt/system32/cmd.exe [Thu Jan 8 07:00:53 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:57 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/400.shtml [Thu Jan 8 07:01:01 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/400.shtml [Thu Jan 8 07:01:05 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%5c../winnt/system32/cmd.exe [Thu Jan 8 07:01:05 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:01:10 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%2f../winnt/system32/cmd.exe [Thu Jan 8 07:01:10 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml Can anyone offer me a bif of advice on how to block such IP addresses within FreeBSD and some sort of firewall type setup that is fairly easy and quick to setup as well as create new filtering rules for? Thanks in advance for any help in this matter. Also, all the missing errors like the 404, 400 and such are now cleared up. Created the pages for the errors. David Edwards david@deassociates.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.551 / Virus Database: 343 - Release Date: 12/11/2003
On Sat, 10 Jan 2004, David Edwards wrote:> Anyway, on to the question, lastnight, the server stopped responding after > someone tried to gain access to what looks to be web based printing. I am > not familiar with any firewall/IDS solutions and have looked over Snort and > IPFW today. I don't want to do IPFW because I don't want to recompile a > kernel that works and potentially lose everything I have done so far.How about to use ipfw.ko? -- Best regards, Taras Y. NIZHNIK, AKA Taren, XN7211-XTF, TYN-UANIC, TYN1-RIPE
On Sat, 10 Jan 2004, David Edwards wrote:> Anyway, on to the question, lastnight, the server stopped responding > after someone tried to gain access to what looks to be web based > printing. I am not familiar with any firewall/IDS solutions and have > looked over Snort and IPFW today. I don't want to do IPFW because I > don't want to recompile a kernel that works and potentially lose > everything I have done so far. Here is a bit of the apache error_log > which shows the issue i am refering to: > > [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not > exist: /usr/home/dbcenter/public_html/NULL.printer > [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not > exist: /usr/local/apache/htdocs/NULL.printerWell, these log entries are for attempted exploits of Microsoft's IIS, and shouldn't be a problem. The error messages can safely be ignored. However, the "server stopped responding" bit doesn't sound good. Was the web server still running (i.e., Apache processes still present)? What does "ps -alx" show? Were there any console messages regarding apache stopping, or any error messages in the Apache log about it exiting or changing states, as opposed to just file not found errors? Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research