I just got my webserver (apache) up the other night (Friday) and it looks like somebody already tried to get in. Any ideas on how to stop this from happening? and is it normal for this kind of thing to happen so soon? Any security suggestions?

66.1.153.161 - - [17/Nov/2002:01:55:35 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 288
66.1.153.161 - - [17/Nov/2002:01:55:35 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 286
66.1.153.161 - - [17/Nov/2002:01:55:35 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
66.1.153.161 - - [17/Nov/2002:01:55:39 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
66.1.153.161 - - [17/Nov/2002:01:57:15 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327
66.1.153.161 - - [17/Nov/2002:01:57:15 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
66.1.153.161 - - [17/Nov/2002:01:57:15 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327
66.1.153.161 - - [17/Nov/2002:01:57:16 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 343
....
66.1.153.161 - - [17/Nov/2002:04:06:21 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
66.1.153.161 - - [17/Nov/2002:04:06:24 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
......
66.1.153.161 - - [17/Nov/2002:19:41:16 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
66.1.153.161 - - [17/Nov/2002:19:41:16 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
66.1.153.161 - - [17/Nov/2002:19:41:17 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
66.1.153.161 - - [17/Nov/2002:19:41:17 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327



there's more but i decide to edit it out. The funny thing is that he thought this was a windows box ...hehehehe.:D

Firewall! Firewall! Firewall! Did I mention that you should install a Firewall. Disable ALL ports exect those explicity needed. Make sure you disable Telnet, FTP (unless you want FTP, and then force FTP over SSH), rsh, etc. I would ONLY allow for SSH.

Search this forum on security, there are also some GREAT NHFs on this site that tell you how to harden your system and detecting hackers. For my part, I am, according to every web site I visit that tests security, invisible. Before I was invisible, I would watch for hackers (systematically scanning every port) and one quick

ping -f <hacker IP>

was enough to send them scurrying.
(up to 100 pings per second).

hlrguy

P.S. had this been a person who knew this was Linux, they might have
retrieved information. Have you tried, the same way the person was attempting to, to GET your /etc/passwd and /etc/shadow files? If you can, you need to harden a LOT.

IPTABLES can stealth your ports so they can't be seen.

Thanks, I'll look into both of these options.

Do you think i should report these incidents to my ISP. If so do you think they'll do anything about it?

If your ISP technical support is a thousand times better than mine, then you would be wasting your time. I asked what the DNS server IPs were and they said, we don't have DNS, we support windows. I laughed, and downloaded a newer version of kppp that can set them automatically.

hlrguy

Have a look at this article (http://www.ecommercebase.com/article/566).
It'll help keep that garbage from filling up your log files.

well i run my home made webserver that i wrote jux for the hell of it and check my log (it does has an access log support) and i saw the same message as your...

but the thing i don't get is what is the path they r trying to get??
ex. GET /scripts/..%255c../ winnt/system32/cmd.exe?/c+dir

is it an exploit in winNT or 2k??

Right. See above article. I've seen(not first hand) those kind of logs before and I think they are Nimda/Code red looking for a flaw in IIS. A side effect of that virus I think was also that it would cripple certain routers that some home DSL users had.

so that means the ip like
66.1.153.161 GET /scripts/..............

is infected with the virus?

Originally posted by monkeyboi
so that means the ip like
66.1.153.161 GET /scripts/..............

is infected with the virus?
Yes. The server at 66.1.153.161 is definitely infected with Nimda. What's more interesting, Nimda has been around for almost a year and all site administrators should have become aware and cleaned it out by now. This webmaster has been sleeping on the job.

Nimda only infects Microsoft IIS servers. It's attempting to infect your server, but by trying to execute scripts that Apache doesn't use. So you aren't vulnerable, but the log entries are a nuisance. The article is helpful for redirecting the nuisance entries.

Thanks for the link Spoticus. I like the idea of getting that s**t out of my error logs.

Of course the first thing to do is sit back and smile because you're running Apache, not IIS :) . Then go back to being paranoid and make sure you have Apache secured with the latest version and/or security fixes and that your httpd.conf file is tweaked to balance your serving needs with said paranoia. The above firelwall and self scanning suggestions are of course appropriate, but we already know port 80 is open and kind of need to keep it that way (assuming your intent is to host a publicly accessable site). The article linked above was cool too. The measures it suggests do not stop the attempted attacks, but they handle them better. I'll be taking those steps on my apache box soon, as my logs are also full of IIS attacks (see point one) which I've just cleaned out manually (or ignored and let fill up) in the past.

A side note on the firewall subject: for a while I manually harvested the offending IP's from my logs and added them to my firewall rules with deny all, but that got old when I realized the trickle of new offenders was virtually never ending. I suppose I could have scripted the above steps, but I suck at shell scripting.