Thursday, 15 March 2012

To start preventing further web attacks from proxy servers

As you may know there are many preventative measures to prevent different attacks from ever getting near your server

-using block lists in iptables
-updating apache web server
-running minimal services
-using a proxy server
-keeping uptodate installing security features

but you will often find this will not prevent attacks from unlisted IP's. IP's that havent been listed in your block list. For these you can run simple scripts that reduce the damage they can do. Restricting their ability to access features of the site for the purpose of posting comments and generating backlinks etc.

Worpress can be configured to prevent any comments being made from unregestered users.

But this might not stop the server being overloaded by bot's that use unique IP's (proxys) to access the site and attempt a post. Often reffered to as scraping.

You can list these attempts by simply using

tail /var/log/httpd/access_log

You will see they will happen every few minutes to post / or register to post.

Get a list of the IP's they use and create your very own block list. Thats a start and there are many block lists out there. But is this sufficient and do we really need to block the world can we not filter it instead.

Well I did some thinking and decided I wanted to restrict the number of servers spawned for these nefarious purposes. For this I wrote a script which can be run by cron every 15 minutes or so it looks to see if theyre are too many servers running and if there is it shuts them down and restarts the server. Simple but effective and this prevents multiple requests overloading the machine.

But guess what even when I shutdown the server some http requests were still running this was another malicious program which had launched its own server on my system.
To shut it down I removed a cron entry.
Deleted its files saved in the /tmp directory, and used kill -9 on the pids that were still running.
Then the script switches the server back on and tests to make sure my websites can be accessed. Its even got its own log file.

Of course these solutions treat the symptoms and not the cause which would need a backup and reinstall.

But seriously who wants the hassle of doing that everytime it happens.

Here is the output from lsof and ps showing the malicious programs and theyre PID's to be killed:-

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache cwd DIR 3,2 0 803968 /tmp/mnc (deleted)
perl 4628 apache rtd DIR 3,2 4096 2 /
perl 4628 apache txt REG 3,2 1151198 678050 /usr/bin/perl
perl 4628 apache mem REG 3,2 16270 71646 /usr/local/lib/perl5/5.13.9/i686-linux/auto/IO/IO.so
perl 4628 apache mem REG 3,2 33005 37299 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Encode/Encode.so
perl 4628 apache mem REG 3,2 120725 37269 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Compress/Raw/Zlib/Zlib.so
perl 4628 apache mem REG 3,2 18521 87802 /usr/local/lib/perl5/5.13.9/i686-linux/auto/File/Glob/Glob.so
perl 4628 apache mem REG 3,2 14748 71596 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Fcntl/Fcntl.so
perl 4628 apache mem REG 3,2 50944 816050 /lib/libnss_files-2.3.3.so
perl 4628 apache mem REG 3,2 106892 820617 /lib/ld-2.3.3.so
perl 4628 apache mem REG 3,2 1455084 820618 /lib/tls/libc-2.3.3.so
perl 4628 apache mem REG 3,2 16708 820621 /lib/libdl-2.3.3.so
perl 4628 apache mem REG 3,2 214796 820622 /lib/tls/libm-2.3.3.so
perl 4628 apache mem REG 3,2 15688 816093 /lib/libutil-2.3.3.so
perl 4628 apache mem REG 3,2 76588 820624 /lib/libresolv-2.3.3.so
perl 4628 apache mem REG 3,2 22172 816047 /lib/libnss_dns-2.3.3.so
perl 4628 apache mem REG 3,2 22781 71614 /usr/local/lib/perl5/5.13.9/i686-linux/auto/List/Util/Util.so
perl 4628 apache mem REG 3,2 10220 71609 /usr/local/lib/perl5/5.13.9/i686-linux/auto/I18N/Langinfo/Langinfo.so
perl 4628 apache mem REG 3,2 71635 71667 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Storable/Storable.so
perl 4628 apache mem REG 3,2 28408 820630 /lib/libcrypt-2.3.3.so
perl 4628 apache mem REG 3,2 28411 71636 /usr/local/lib/perl5/5.13.9/i686-linux/auto/Socket/Socket.so
perl 4628 apache mem REG 3,2 96248 820631 /lib/libnsl-2.3.3.so
perl 4628 apache mem REG 3,2 12876 87783 /usr/local/lib/perl5/5.13.9/i686-linux/auto/MIME/Base64/Base64.so
perl 4628 apache mem REG 3,2 40259136 672802 /usr/lib/locale/locale-archive
perl 4628 apache 0r CHR 1,3 887233 /dev/null
perl 4628 apache 1w FIFO 0,7 190204 pipe
perl 4628 apache 2w REG 3,2 467407320 280611 /var/log/httpd/error_log
perl 4628 apache 3u IPv6 28208 TCP *:webcache (LISTEN)
perl 4628 apache 4u IPv6 28210 TCP *:tproxy (LISTEN)
perl 4628 apache 5u IPv6 28213 TCP *:8085 (LISTEN)
perl 4628 apache 6u IPv6 28215 TCP *:http (LISTEN)
perl 4628 apache 7u IPv6 28217 TCP *:https (LISTEN)
perl 4628 apache 8r FIFO 0,7 28273 pipe
perl 4628 apache 9w FIFO 0,7 28273 pipe
perl 4628 apache 10w REG 3,2 467407320 280611 /var/log/httpd/error_log
perl 4628 apache 11w REG 3,2 109980 280612 /var/log/httpd/ssl_error_log
perl 4628 apache 12w REG 3,2 41574053 280610 /var/log/httpd/access_log
perl 4628 apache 13w REG 3,2 82395 279420 /var/log/httpd/ssl_access_log
perl 4628 apache 14w REG 3,2 96494 279421 /var/log/httpd/ssl_request_log
perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
perl 4628 apache 16u unix 0x08d40980 190197 socket
perl 4628 apache 17u IPv4 190377 TCP 192.168.1.36:33027->203.146.129.247:ircd (ESTABLISHED)
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache 6u IPv6 28215 TCP *:http (LISTEN)
perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 4628 apache 7u IPv6 28217 TCP *:https (LISTEN)
1 S apache 4628 1 5 75 0 - 2958 - 22:35 ? 00:04:25 /usr/sbin/apache2 -k start
4 S root 5661 2767 0 75 0 - 1142 pipe_w 23:51 pts/0 00:00:00 grep apache



Here are the files placed on my server used to spawn a server :-



tmp/mnc/
tmp/mnc/text/
tmp/mnc/text/motd
tmp/mnc/text/banner
tmp/mnc/httpd
tmp/mnc/sUx.conf
tmp/mnc/Lucifer.chn
tmp/mnc/pid.Lucifer
tmp/mnc/Lucifer
tmp/mnc/language/
tmp/mnc/language/console.german.lang
tmp/mnc/language/filesys.german.lang
tmp/mnc/language/assoc.german.lang
tmp/mnc/language/bs_data.Lucifer
tmp/mnc/language/core.french.lang
tmp/mnc/language/core.german.lang
tmp/mnc/language/wire.english.lang
tmp/mnc/language/core.english.lang
tmp/mnc/language/console.english.lang
tmp/mnc/language/assoc.english.lang
tmp/mnc/language/notes.english.lang
tmp/mnc/language/filesys.english.lang
tmp/mnc/language/wire.german.lang
tmp/mnc/language/wire.french.lang
tmp/mnc/language/filesys.french.lang
tmp/mnc/language/notes.german.lang
tmp/mnc/tcl
tmp/mnc/logs/
tmp/mnc/logs/CONTENTS
tmp/mnc/scripts/
tmp/mnc/scripts/http.tcl
tmp/mnc/scripts/action.fix.tcl
tmp/mnc/scripts/ipwhois.tcl
tmp/mnc/scripts/dns.tcl
tmp/mnc/scripts/alltools.tcl
tmp/mnc/scripts/port.tcl
tmp/mnc/scripts/version.tcl
tmp/mnc/scripts/seen.tcl
tmp/mnc/scripts/sUx.tcl
tmp/mnc/Lucifer.d
tmp/mnc/run
tmp/mnc/"\001
tmp/mnc/xh
tmp/mnc/Lucifer.usr
tmp/mnc/help/
tmp/mnc/help/cmds1.help
tmp/mnc/help/cmds2.help
tmp/mnc/help/irc.help
tmp/mnc/help/channels.help
tmp/mnc/help/seen.help
tmp/mnc/help/msg/
tmp/mnc/help/msg/irc.help
tmp/mnc/help/msg/seen.help
tmp/mnc/help/msg/userinfo.help
tmp/mnc/help/msg/notes.help
tmp/mnc/help/assoc.help
tmp/mnc/help/share.help
tmp/mnc/help/console.help
tmp/mnc/help/server.help
tmp/mnc/help/userinfo.help
tmp/mnc/help/set/
tmp/mnc/help/set/ctcp.help
tmp/mnc/help/set/cmds1.help
tmp/mnc/help/set/cmds2.help
tmp/mnc/help/set/irc.help
tmp/mnc/help/set/channels.help
tmp/mnc/help/set/transfer.help
tmp/mnc/help/set/compress.help
tmp/mnc/help/set/console.help
tmp/mnc/help/set/server.help
tmp/mnc/help/set/filesys.help
tmp/mnc/help/set/notes.help
tmp/mnc/help/filesys.help
tmp/mnc/help/cmd_resolve.help
tmp/mnc/help/chaninfo.help
tmp/mnc/help/core.help
tmp/mnc/help/notes.help
tmp/mnc/Lucifer.dir
tmp/mnc/doc/
tmp/mnc/doc/man1/
tmp/mnc/doc/man1/eggdrop.1
tmp/mnc/doc/UPDATES1.6
tmp/mnc/doc/tricks
tmp/mnc/doc/settings/
tmp/mnc/doc/settings/contents
tmp/mnc/doc/settings/mod.channel
tmp/mnc/doc/settings/core.settings
tmp/mnc/doc/settings/tricks
tmp/mnc/doc/settings/mod.woobie
tmp/mnc/doc/settings/mod.transfer
tmp/mnc/doc/settings/mod.compress
tmp/mnc/doc/settings/mod.assoc
tmp/mnc/doc/settings/mod.filesys
tmp/mnc/doc/settings/mod.ctcp
tmp/mnc/doc/settings/mod.wire
tmp/mnc/doc/settings/mod.irc
tmp/mnc/doc/settings/mod.seen
tmp/mnc/doc/settings/mod.share
tmp/mnc/doc/settings/mod.console
tmp/mnc/doc/settings/mod.dns
tmp/mnc/doc/settings/mod.notes
tmp/mnc/doc/settings/mod.server
tmp/mnc/doc/settings/mod.blowfish
tmp/mnc/doc/text-substitutions.doc
tmp/mnc/doc/compiling.FAQ
tmp/mnc/doc/patch.howto
tmp/mnc/doc/CONTENTS
tmp/mnc/doc/MODULES
tmp/mnc/doc/BUG-REPORT
tmp/mnc/doc/tcl-commands.doc
tmp/mnc/doc/KNOWN-PROBLEMS
tmp/mnc/doc/html/
tmp/mnc/doc/html/app-weird.html
tmp/mnc/doc/html/app-problems.html
tmp/mnc/doc/html/starting.html
tmp/mnc/doc/html/mod-server.html
tmp/mnc/doc/html/mod-assoc.html
tmp/mnc/doc/html/mod-share.html
tmp/mnc/doc/html/app-tricks.html
tmp/mnc/doc/html/about.html
tmp/mnc/doc/html/mod-compress.html
tmp/mnc/doc/html/app-sharing.html
tmp/mnc/doc/html/features.html
tmp/mnc/doc/html/egg-core.html
tmp/mnc/doc/html/compiling.html
tmp/mnc/doc/html/bans.html
tmp/mnc/doc/html/app-textsub.html
tmp/mnc/doc/html/faqs.html
tmp/mnc/doc/html/mod-wire.html
tmp/mnc/doc/html/install.html
tmp/mnc/doc/html/sharing.html
tmp/mnc/doc/html/mod-notes.html
tmp/mnc/doc/html/mod-filesys.html
tmp/mnc/doc/html/index.html
tmp/mnc/doc/html/authors.html
tmp/mnc/doc/html/users.html
tmp/mnc/doc/html/mod-dns.html
tmp/mnc/doc/html/mod-irc.html
tmp/mnc/doc/html/party.html
tmp/mnc/doc/html/flags.html
tmp/mnc/doc/html/botnet.html
tmp/mnc/doc/html/news.html
tmp/mnc/doc/html/mod-blowfish.html
tmp/mnc/doc/html/mod-channels.html
tmp/mnc/doc/html/readme.html
tmp/mnc/doc/BOTNET
tmp/mnc/doc/eggdrop.doc
tmp/mnc/doc/UPDATES.pre1.5
tmp/mnc/doc/UPDATES1.5
tmp/mnc/Lucifer.upd
tmp/mnc/sUx
tmp/mnc/Lucifer.run
tmp/mnc/filesys/
tmp/mnc/filesys/incoming/
tmp/mnc/t3394
tmp/mnc/tmp/


This is the important bit containing all the info you need using lsof -p PID

perl 4628 apache 15u IPv6 190196 TCP 192.168.1.36:http->rs2.justhost.com:44226 (CLOSE_WAIT)
perl 4628 apache 16u unix 0x08d40980 190197 socket
perl 4628 apache 17u IPv4 190377 TCP 192.168.1.36:33027->203.146.129.247:ircd (ESTABLISHED)

The PID you can pull from doing ps -elf command with grep apache - this gets you a list of all the servers spawned and their PID's

Look for the one there after you have issued 'service httpd stop'
It shouldnt be there but it is now you better kill it so you can restart httpd.

My internal IP is 192.168.1.36

The malicious program creates a link over TCP to 203.146.129.247 and rs2.justhost.com
Both of these connections shouldnt be there you can look for something similar using these two commands:

ps -elf | grep apache or lsof -i tcp:80

then

lsof -p PID ( using the PID from above )

Then

kill PID

and your done, after you can restart your httpd server. Dont forget to remove any
cron entrys that shouldnt be there and remove any files in the /tmp directory that also shouldnt be there.

Check /var/spool/cron/

You can block all the proxy servers listed by doing a grep on the /var/log/httpd/access_log

To block an IP or a CIDR use the following command using the above mal-IP

203.146.129.247

iptables -A INPUT -s 203.146.129.247 -j DROP
iptables -A OUTPUT -d 203.146.129.247 -j DROP
iptables-save

Happy hunting.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)