HPE Community
Operating System - Linux
1830898 Members
2080 Online
110017 Solutions
New Discussion

Re: am I being hacked?

 
SOLVED
Go to solution
Rick Garland
Honored Contributor

‎01-12-2004 03:53 AM

‎01-12-2004 03:53 AM

am I being hacked?

Got RH Linux AS 2.1 and am running Apache 1.3 as a web server on the system.

I am getting the following listings from the logwatch application (see snippet below). Is this trouble? I do have port 80 open in the ipchains so the web connection can be accomplished.

As far as I know there should be no way to connect to a command line from http or https protocols. Has this changed? Or am I wrong?

Many thanks!

============================================================
Accepted packets from h24-87-195-143.vc.shawcable.net (24.87.195.143).
Port http (tcp,eth0,input): 6 packet(s).
Total of 6 packet(s).

Accepted packets from crawler14.googlebot.com (64.68.82.168).
Port http (tcp,eth0,input): 2 packet(s).
Total of 2 packet(s).

Accepted packets from h24-108-240-54.gv.shawcable.net (24.108.240.54).
Port http (tcp,eth0,input): 1 packet(s).
Total of 1 packet(s).

Accepted packets from cpe002078cd2acf-cm014120006580.cpe.net.cable.rogers.com (24.157.154.174).
Port http (tcp,eth0,input): 1 packet(s).
Total of 1 packet(s).

Accepted packets from c-24-8-74-89.client.comcast.net (24.8.74.89).
Port http (tcp,eth0,input): 8 packet(s).
Total of 8 packet(s).

Accepted packets from drone7.sv.av.com (216.39.50.156).
Port http (tcp,eth0,input): 2 packet(s).
Total of 2 packet(s).
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎01-12-2004 04:13 AM

‎01-12-2004 04:13 AM

Solution

Re: am I being hacked?

This concerns me a bit.

What you should see in your apache access log is the google and other search engine bots logging on and trying to collect data on your public web sites.

If you don't intend public access to these sites, I'd be very concerned and consider closing port 80 to the ourside world in iptables firewall.

If you do allow public access to the websites in any way, then this stuff is normal. Google wants to know all about everything and its going to hit public websites for information on a regular basis.

Does this help?

I can dive deeper.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Rick Garland
Honored Contributor

‎01-12-2004 05:25 AM

‎01-12-2004 05:25 AM

Re: am I being hacked?

Hi SEP:

I see the googlebot and understand the purpose of the *bot searches (I don't like them though)
but not all of the entries are from *bot searches.

I also found a couple of entries stating the "ACCEPTED packets for port https" as well.

My concern is that a hole (or holes) has been found in the apache http & https. Now it appears it is being exploited.

Any other thoughts...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-12-2004 05:40 AM

‎01-12-2004 05:40 AM

Re: am I being hacked?

Rick,

I share your concerns.

I am still running one apache 1.3.x web server fully patched.

I'm running through the documentation and reports at http://www.apache.org, trying to find something on this.

I'd say contact Berlene Herren at HP, but HP doesn't support that version of apache any more.

For now consider this:
Block the source ip of the exploited inquirires. Here is a thread that shows how to do it.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=364287

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Rick Garland
Honored Contributor

‎01-12-2004 05:50 AM

‎01-12-2004 05:50 AM

Re: am I being hacked?

This entry is in the IP tables for access - this is a public webserver.

Initially there were not any ACCEPTED packets from http, this while the webserver running on port 80.

Now I am getting these entries.

I have not made any changes to the IPTABLES but I'm trying to find out why all of the sudden I am getting these ACCEPTED packets.
0 Kudos
Reply
Martin P.J. Zinser
Honored Contributor

‎01-12-2004 10:48 AM

‎01-12-2004 10:48 AM

Re: am I being hacked?

Hello Rick,

if you do not like the bots crawling your server setup a robots.txt exclusion file. At least the well behaved bots honor the directives in there.

Greetings, Martin
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎01-12-2004 03:36 PM

‎01-12-2004 03:36 PM

Re: am I being hacked?

Hi,

To determine whether this is exploit traffic , I want the apache logs access_log) for these source IP addresses.

regards,

U.SivaKumar.


Innovations are made when conventions are broken
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.