1839313 Members
3057 Online
110138 Solutions
New Discussion

Apache Hack on port 80

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

Apache Hack on port 80

I was reading a previous post on hacks on port 80 and to scan the access log for suspicious activity. I am not sure what I sould be looking for that would qualify the entry as suspicious. I would like to write a script but I dont know what I am looking for. Any ideas?

RPM
UNIX IS GOOD
13 REPLIES 13
Nobody's Hero
Valued Contributor

Re: Apache Hack on port 80

I see that access_log starts with an IP address. Should I be looking for IPs that are outside my network?
UNIX IS GOOD
F.J.Llorente Wayfarer
Frequent Advisor

Re: Apache Hack on port 80

Hi!

That's right if you're using your Apache server only for serve your intranet. If your server is a public one, that does not make any sense... ;-)

If you're serving only your intranet, it'd be a good idea to configure your firewall to filter out all the incoming traffic to port 80.

My two cents...

-- Wayfarer
A patch a day keeps problems away
Mark Grant
Honored Contributor

Re: Apache Hack on port 80

Robert,

Apart from the IP address point you raise above, hacks against web servers tend to be pretty obvious when you find them. They tend to attempt to run things (usually ending in .exe" that have failed. Failing that, they will contain a URL that doesn't make sense or contains perl/shell or possibly even very large, ugly looking numbers but usually something fairly obvious like that.

Never preceed any demonstration with anything more predictive than "watch this"
Steven E. Protter
Exalted Contributor

Re: Apache Hack on port 80

You need to be careful about innocuous search engine stuff verus real attacks.. A lot of search engines will assume you are running a Microsoft server and run programs they expect to find.

This will show up in error logs and can be ignored. Hack attacks will create files, gain access and start changing things.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Vernon Brown_4
Trusted Contributor
Solution

Re: Apache Hack on port 80

I see many attempts to compromise Windows servers such as a URI "GET /system32/cmd.exe"

You can find them by:

cat /var/log/httpd/access_log | grep cmd.exe
or
cat /var/log/httpd/access_log | grep SEARCH./
Replace the path to access_log to whatever you're using.

You'll know the buffer overflow attempts when you see them because they can be more than 32,000 characters long.

Martin P.J. Zinser
Honored Contributor

Re: Apache Hack on port 80

Hi,

other typical hack attempts include:

GET /_vti_bin/....
GET /_mem_bin/....
GET /scripts/root.exe....
GET /MSADC/root.exe....
GET /default.ida.....
GET /sumthin....
GET /scripts/nsiislog.dll

Greetings, Martin
frankb_1
Occasional Advisor

Re: Apache Hack on port 80

if you want automated reports install snort. you can configure snort to only show you possible webservices alerts. there is also a webconsole available called ACID which shows you the snort reports in detail very easy.

otherwise, if you dont want to use snort, check also for possible "external include" hacks. if you find urls ending with "=http://xyz.dyndns.org/hack.cgi" or something like that check if the accessed file allows external includes.

the other comments from authors above are also important to check. if you see alot of "x03x73x82x03x73" in your access_log there are possible intrusions going on.
lowster
Honored Contributor

Re: Apache Hack on port 80

I don't think it realy helps either when your member profile comes up on google does it, because yours is Robert.
Nobody's Hero
Valued Contributor

Re: Apache Hack on port 80

Can you explain in more detail what you are saying? I have no idea what you mean.


Thanks
UNIX IS GOOD
Nobody's Hero
Valued Contributor

Re: Apache Hack on port 80

Christopher, I dont understand your point.

Your profile is accessable via google also. So what is the point?
UNIX IS GOOD
lowster
Honored Contributor

Re: Apache Hack on port 80

"I don't think it realy helps either when your member profile comes up on google does it? because yours is Robert".
Sorry, I meant it to be a question, not a point.

Thanks,
Chris.
Florian Heigl (new acc)
Honored Contributor

Re: Apache Hack on port 80

You don't really need to worry about attacks intended for windows servers, of course.

You should watch out for people trying to POST things to Your server, i.e. to /tmp or shared memory, especially if the server is not chrooted. (failed) buffer overflow attacks appears as very long strings of garbage in the access.log. You should be aware that a successful attack will include removing it's traces. :)

The best point for learning about possible angles of attack would be apache-specific mailing lists where You can get some insight from people that survived attacks.

for the very least, I always try to
- mount $TMPDIR (usually /tmp) noexec,nosuid,nodev
- chroot apache
- run apache on port 8080 only and ipforward 80->8080 (this means no part of apache has root permissions left
- of course run the most current apache version (2.0.53 today)
- have another non-apache webserver at hand in case there are unresolvable problems.
yesterday I stood at the edge. Today I'm one step ahead.
Paul Cross_1
Respected Contributor

Re: Apache Hack on port 80

Although this will all depend on how your network is setup, but if you are on a private network serving an intranet with a firewall between you and the outside world, there is little point in scanning for external IP numbers. All attacks have to come through your firewall, and will show up accordingly. Check your firewall logs for such attacks.