When should be hanged!!!

I have changed my true domain name to avoid further hacking or cracking..etc.

To tackle this problem and I wish to bring this up, he exploited my patient and he should be hanged. He opened 29 sessions of downloading a file from my site.


Freebsd, How to stop him !!!!

Why all the "nnnnnnnnnnnnnnnnnnnn" ?? you have mention he overflow my buffers, but that screen has no entry of data, just display of a few logo and text. I do not believe he using IE or netscape and he must using some of tools. and I do not know what are these tools and counter-measure????




Jennifer



0-0 281 0/20/20 W 0.08 5498 0 0.0 2.08 2.08 192.168.1.10 www.myserver2.com GET /server-status HTTP/1.1
1-0 282 0/10/10 _ 0.03 5 527 0.0 0.08 0.08 202.30.222.231 www.myserver2.com GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
2-0 283 0/41/41 _ 0.14 80 1 0.0 0.26 0.26 192.168.1.1 mis2.myserver2.com GET /hk-e.html HTTP/1.1
3-0 285 0/10/10 _ 0.02 47 2 0.0 0.08 0.08 192.168.1.10 www.myserver2.com GET /server-status HTTP/1.1
4-0 288 0/39/39 _ 0.10 50 1 0.0 0.31 0.31 192.168.1.1 mis2.myserver2.com GET /images/pf-2.gif HTTP/1.1
5-0 308 0/9/9 _ 0.03 2025 269 0.0 0.07 0.07 24.148.69.175 www.myserver2.com GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
6-0 309 0/20/20 _ 0.05 54 0 0.0 0.14 0.14 192.168.1.1 hotels.myserver.com GET /advertising/go-button-gateway.gif HTTP/1.1
7-0 310 0/16/16 _ 0.08 1557 68158 0.0 2.07 2.07 202.159.33.210 mis.myserver.com GET /setup.exe HTTP/1.0
8-0 311 0/11/11 _ 0.04 51 1 0.0 0.13 0.13 192.168.1.1 mis2.myserver2.com GET /images/ani001.gif HTTP/1.1
9-0 319 0/5/5 _ 0.01 53 142 0.0 0.11 0.11 192.168.1.1 hotels.myserver.com GET /smallglobenopurple.gif HTTP/1.1
10-0 - 0/0/1 . 0.02 5743 47976 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
11-0 - 0/0/1 . 0.01 5741 48283 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
12-0 - 0/0/2 . 0.02 5724 13143 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
13-0 - 0/0/2 . 0.02 5726 12305 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
14-0 - 0/0/2 . 0.01 5738 9414 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
15-0 - 0/0/1 . 0.01 5775 56052 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
16-0 - 0/0/2 . 0.01 5736 2250 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
17-0 - 0/0/2 . 0.02 5738 2754 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
18-0 - 0/0/2 . 0.01 5731 5811 0.0 0.00 0.09 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
19-0 - 0/0/1 . 0.02 5747 48968 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
20-0 - 0/0/1 . 0.01 5755 45311 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
21-0 - 0/0/1 . 0.02 5772 52207 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
22-0 - 0/0/1 . 0.01 5728 52490 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
23-0 - 0/0/1 . 0.02 5738 49089 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
24-0 - 0/0/2 . 0.01 5738 8962 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
25-0 - 0/0/1 . 0.01 5750 56178 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
26-0 - 0/0/2 . 0.02 5731 12643 0.0 0.00 0.10 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
27-0 - 0/0/1 . 0.01 5767 60750 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
28-0 - 0/0/1 . 0.01 5753 51209 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
29-0 - 0/0/1 . 0.01 5747 42668 0.0 0.00 0.06 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
30-0 - 0/0/1 . 0.01 5745 19774 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
31-0 - 0/0/1 . 0.01 5752 15809 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
32-0 - 0/0/1 . 0.00 5749 12786 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
33-0 - 0/0/2 . 0.00 5736 2329 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
34-0 - 0/0/2 . 0.00 5738 11699 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
35-0 - 0/0/1 . 0.01 5746 13695 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
36-0 - 0/0/1 . 0.02 5738 18592 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
37-0 - 0/0/1 . 0.01 5744 5922 0.0 0.00 0.00 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1
38-0 - 0/0/1 . 0.00 5744 7673 0.0 0.00 0.03 61.166.53.151 mis.myserver.com GET /setup.exe HTTP/1.1



--------------------------------------------------------------------------------
Srv Child Server number - generation
PID OS process ID
Acc Number of accesses this connection / this child / this slot
M Mode of operation
CPU CPU usage, number of seconds
SS Seconds since beginning of most recent request
Req Milliseconds required to process most recent request
Conn Kilobytes transferred this connection
Child Megabytes transferred this child
Slot Total megabytes transferred this slot

As far as the /setup.exe, you can add Deny from 61.166.53.151 within <Directory> block to your docroot.

For the /default.ida? (IIS bug), you can simply ignore those NNNNNN error. It was just an exploit targeted to M$ IIS server.

http://www.astalavista.com/exploits/iis/buffer2.shtml

BTW, I have got about 50 of those /default.ida per day, not a big deal. You can stop particular user, but you can't stop everyone in the world for abusing this. Who should we blame? M$.

hm...

may be there is some download manager trying to download the file through simultaneous connections...


hm..not sure..

i dont think that is the case,

btw what log file will show if the program tries to download fragments of same file,

just curious u know..

jd

dear folks and apache security officer of apache.org


how can we issue a command at root account to kill a particular ip address other than passive deny his/her entry while rebooting the while the machine( solaris ia/ linux 7.0/7.1) ????????

those the 'NNNNNNN..N" are code red in my first posting and read the last 2 message from the url below:

http://www.linuxnewbie.org/cgi-bin/...c&f=21&t=002181

It is important if I know how stop(kill) certain ip address sytem or apache level or just a file (apache/ system files) that let me copy and paste all harmful people to deny our services.

jennifer

<Directory "/var/apache/htdocs/www">

Options Indexes FollowSymLinks


AllowOverride ALL

Order allow,deny
Allow from all


deny from 62.252. 61.18. 203.198. 61.132. 61.33. 61.166.
deny from 200. 201. 202. 203. 204. 205. 206. 207. 208. 209. 210. 211.
deny from 213.104. 194. 64.4.
deny from 193.54.52.105 211.112.0.19 202.97.97.6 202.97.99.128
deny from 66.72.114.139 105.52.54.193. 193.54.52.105


deny from 168. 211.254. 64.28. 210.91. 211.75. 210.244.
# 208.
</Directory>

>> how can we issue a command at root account to kill a particular ip address other than passive deny

Don't waste any time further on this as you alone can't fight against a million people. As I said previously, you can't tell which IP your next attacker is going to be, unless you want to shutdown your Apache. We are running Apache so that's not vulnerable at all. Just ignore those and rotate your access_log sooner than normal.

I guess this kind of activity will last another 3 months or so and it affects people not running a web server, too.

Oh my god, this code red worm is really wasting my bandwidth and resource. My server has been getting the default.ida..... almost 100 to 200 times per day.

To waste my server resource further in return to remind the infected servers, I have come up with the following:

RewriteEngine on
RewriteRule ^default.ida.* http://%{REMOTE_ADDR}/hey_your_IIS_server_is_code_red_infected_please_follow_this_link_to_fix_it.html?http://www.eeye.com/html/Research/P...DS20010802.html [R,L]

What this will do is to external redirects back to the IP address of the originated IIS server and inform him/her to fix the code red infected IIS server.
I hope those people check their web log and start applying the patch immediately.

Hey Jennifer,

Maybe you should check this out -> http://www.dshield.org/ since you wanted to fight back so badly.

RewriteEngine on
RewriteRule ^default.ida.* http://%{ REMOTE_ADDR}/hey_your_IIS_server_is_code_red_infected_please_follow_this_link_to_fix_it.html?http://www.eeye.com/html/Research/P...DS20010802.html [R,L]


it is one whole stmt follow with "no space" after % and after the second ?.

then restart http

q1. But I still get
default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
why??? they like to play such foolish game??


q2. they seem to change the pattern, can it match the "XXX..." pattern???? ^default.ida? http://........ should we use "?" or " *"
I use "*" at the moment???
I tried "?" after ida and restart with no error!! Then I change it back to "*"


q3. is there [space between "?" and http://.... ?? in the first part] ?

jennifer

add the patch as spelled out from FreeBSD, he is the expert, I am his follower.

your internal networking is running much better, throughput is normal. Looks better!!

my own isp has sent those "NNNNNNNNNNNNNN" to me , we should fight back with these people. I have neotrace them. they cannot run away. everything is well recorded. they shall face the music and tehy shall punish by the law


DOES any one receive the "message--go to check with eeye.com ....etc..." I wish to see their screens and how it is taken place now????




jennifer

>> I have neotrace them. they cannot run away

hehe

>> it is one whole stmt follow with "no space" after % and after the second ?

There are a total of two lines begin with -- 1) RewriteEngine; 2) RewriteRule
The first line is RewriteEngine on. As for second line, there are 3 spaces. Say I used _space_ for the actual space:

RewriteRule_space_^default.ida.*_space_http://%{REMOTE_ADDR}/hey_your..._fix_it.html?http://www.eeye.com/...0802.html_space_[R,L]

Say your docroot is /www/htdocs, put the two lines within <Directory "/www/htdocs">

When someone requests the default.ida?....., Apache will no longer check for the existence of default.ida on your server because mod_rewrite is taking over whenever there is such request.

I can't imagine how bad the following rules is going to be:

RewriteEngine on
RewriteRule ^default.ida.* http://%{REMOTE_ADDR}/default.ida$1 [R,L]

Here is another example for normal practice and has nothing to do with code red worm:

Say I am on a box running Apache with IP - 12.34.56.78. Your server has IP of 78.56.34.12. Say I request http://78.56.34.12/blah.html and this file doesn't not exist on your server. Of course I would get [404] error. However, if you put:

RewriteEngine on
RewriteRule ^(.*) http://%{REMOTE_ADDR}/$1 [R,L]

I will be redirected back to my own server with a URL of http://12.34.56.78/blah.html in my browser's location bar, which obviously will get [404] as well.

With this concept in mind, mod_rewrite will automatically redirects my request on your server back to my own server. Of course, if I am not running any web server, I would then get http://12.34.56.78/blah.html Connection refused.

>> he is the expert, I am his follower

Don't take this too seriously and use it at your own risk. I was just trying to see what would happen with the two rewrite lines as mentioned above.

########### UPDATE ##############

I think I found out code red worm doesn't check HTTP Header, so the rules won't work. In order for the redirection (external in this case) to take place, the client (code red worm) must respond to the HTTP header the server ( my Apache) sends back to the client, then take appropriate action.

put the 2 lines in the <virtual> .... </virtual>??

will this work in the virtual part??
They are still attaching me!!!



I do read the text, when I tried 3 lines, then restart httpd, I have
error, I probe a little bit, I found out it should 2 lines.


I followed your idea, not the person physically.


jennifer

>> put the 2 lines in the <virtual> .... </virtual>??

No. Just put within <Directory "/your/default/docroot">

Code red worm doesn't do dns lookup, it attacks randomly by IP addresses. Say you have 1000 vhosts, only your default host will be attacked.

>> They are still attaching me!!!

Yes and no question about that. Read my UPDATE part to see why.
Once again, code red worm doesn't care what my Apache server sends, my mod_rewrite rules work if the client (i.e. a life person using a web browser) makes a request to my server.