topic Re: am I being hacked? in Operating System - Linux

am I being hacked?

Rick Garland — Mon, 12 Jan 2004 11:53:16 GMT

Got RH Linux AS 2.1 and am running Apache 1.3 as a web server on the system.

I am getting the following listings from the logwatch application (see snippet below). Is this trouble? I do have port 80 open in the ipchains so the web connection can be accomplished.

As far as I know there should be no way to connect to a command line from http or https protocols. Has this changed? Or am I wrong?

Many thanks!

============================================================
Accepted packets from h24-87-195-143.vc.shawcable.net (24.87.195.143).
Port http (tcp,eth0,input): 6 packet(s).
Total of 6 packet(s).

Accepted packets from crawler14.googlebot.com (64.68.82.168).
Port http (tcp,eth0,input): 2 packet(s).
Total of 2 packet(s).

Accepted packets from h24-108-240-54.gv.shawcable.net (24.108.240.54).
Port http (tcp,eth0,input): 1 packet(s).
Total of 1 packet(s).

Accepted packets from cpe002078cd2acf-cm014120006580.cpe.net.cable.rogers.com (24.157.154.174).
Port http (tcp,eth0,input): 1 packet(s).
Total of 1 packet(s).

Accepted packets from c-24-8-74-89.client.comcast.net (24.8.74.89).
Port http (tcp,eth0,input): 8 packet(s).
Total of 8 packet(s).

Accepted packets from drone7.sv.av.com (216.39.50.156).
Port http (tcp,eth0,input): 2 packet(s).
Total of 2 packet(s).

Re: am I being hacked?

Steven E. Protter — Mon, 12 Jan 2004 12:13:06 GMT

This concerns me a bit.

What you should see in your apache access log is the google and other search engine bots logging on and trying to collect data on your public web sites.

If you don't intend public access to these sites, I'd be very concerned and consider closing port 80 to the ourside world in iptables firewall.

If you do allow public access to the websites in any way, then this stuff is normal. Google wants to know all about everything and its going to hit public websites for information on a regular basis.

Does this help?

I can dive deeper.

SEP

Re: am I being hacked?

Rick Garland — Mon, 12 Jan 2004 13:25:25 GMT

Hi SEP:

I see the googlebot and understand the purpose of the *bot searches (I don't like them though)
but not all of the entries are from *bot searches.

I also found a couple of entries stating the "ACCEPTED packets for port https" as well.

My concern is that a hole (or holes) has been found in the apache http & https. Now it appears it is being exploited.

Any other thoughts...

Re: am I being hacked?

Steven E. Protter — Mon, 12 Jan 2004 13:40:55 GMT

Rick,

I share your concerns.

I am still running one apache 1.3.x web server fully patched.

I'm running through the documentation and reports at http://www.apache.org, trying to find something on this.

I'd say contact Berlene Herren at HP, but HP doesn't support that version of apache any more.

For now consider this:
Block the source ip of the exploited inquirires. Here is a thread that shows how to do it.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=364287

SEP

Re: am I being hacked?

Rick Garland — Mon, 12 Jan 2004 13:50:42 GMT

This entry is in the IP tables for access - this is a public webserver.

Initially there were not any ACCEPTED packets from http, this while the webserver running on port 80.

Now I am getting these entries.

I have not made any changes to the IPTABLES but I'm trying to find out why all of the sudden I am getting these ACCEPTED packets.

Re: am I being hacked?

Martin P.J. Zinser — Mon, 12 Jan 2004 18:48:42 GMT

Hello Rick,

if you do not like the bots crawling your server setup a robots.txt exclusion file. At least the well behaved bots honor the directives in there.

Greetings, Martin

Re: am I being hacked?

U.SivaKumar_2 — Mon, 12 Jan 2004 23:36:23 GMT

Hi,

To determine whether this is exploit traffic , I want the apache logs access_log) for these source IP addresses.

regards,

U.SivaKumar.