I have been attacked and don't know why.

Got problems with your B2 or B3? Share and get helped!
gonk
Posts: 93
Joined: 30 May 2012, 01:53

Re: I have been attacked and don't know why.

Post by gonk » 13 Nov 2013, 09:22

Ubi wrote:In that case, the log files on the DNS server can tell us who that is =)
I have all the IP adresses of where the attacks originated from but it is likely that those are just random but machines already hacked and not the attacker's.

Gordon
Posts: 1378
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 13 Nov 2013, 11:04

Ubi wrote:In that case, the log files on the DNS server can tell us who that is =)
It might, but it won't. Because if they had a list of DNS names in the same domain there wouldn't be any reason not to use these names. And they don't, because all these connections target my default host and not the named host I have for the myownb3 domain.

Gordon
Posts: 1378
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 13 Nov 2013, 11:11

gonk wrote:
Ubi wrote:In that case, the log files on the DNS server can tell us who that is =)
I have all the IP adresses of where the attacks originated from but it is likely that those are just random but machines already hacked and not the attacker's.
That remains to be the question. I caught an attempt just two days ago and it only requested an echo. I'm currently waiting for the next attempt to see what happens if I return that echo.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 13 Nov 2013, 11:48

:shock:

It is your assumption the attacker may specifically target B23s. Assuming this attacker does not sweep the entire internet, some intelligence is involved to make the attack more efficient. The myownb3.net domains are the only repository that holds a reliable list of B23s. As this zone does not allow zone transfers and it is not compromised, the only way to retreive is via dictionary requests. Hence the log files tell you were to go (assuming the lookup is not spoofed).

Gordon
Posts: 1378
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 13 Nov 2013, 12:12

Ubi,

I'm somewhat anxious to whom you are addressing that last post. :?:

As said, I do not believe that these attacks are specifically targeting B2/B3 machines. It is also not said that there is one single source for these attacks and some of you may even have been compromised by multiple attackers that each injected there own bits of code. The only thing we do know is the door they enter through and to that extend I stated: they do not use DNS names while doing so.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 13 Nov 2013, 13:33

to be honest this thread is going on for so long I cant remember who was advocating that this was a B23 specific attack. Lets agree then that it is not, but then how did that root passwd got altered?

Gordon
Posts: 1378
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 13 Nov 2013, 14:17

Ubi wrote:to be honest this thread is going on for so long I cant remember who was advocating that this was a B23 specific attack. Lets agree then that it is not, but then how did that root passwd got altered?
The tactical answer is: unknown.

But it was a default password and I suppose the list of default passwords isn't really that long: <empty>, root, admin, super, master, <manufacturer of Linux operated device>, that kind of sums it up. Also, the standard password is all lowercase characters so it may just as well have been a dictionary thing. We found two processes called sysprotect (or the likes) that were started by www-data and had used over 600 hours of CPU time each, but again we don't know what these processes were actually doing. There was a cron entry for /tmp/update but there was no such file. So who deleted that file?

Puma
Posts: 228
Joined: 29 Sep 2008, 06:30

Re: I have been attacked and don't know why.

Post by Puma » 13 Nov 2013, 14:27

I am still under attack with different ip adresses so IP rule will probarbly not work.
How can I stop this? I do not want to shutdown my b3

I did run ubi's codes for abandon access www-data cronjobs and excitos update.

see log:

Code: Select all


[Mon Nov 11 00:49:28 2013] [error] [client 78.111.93.107] Invalid URI in request GET <title>phpMyAdmin HTTP/1.1
[Mon Nov 11 00:49:28 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin
[Mon Nov 11 00:49:28 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin
[Mon Nov 11 00:49:29 2013] [error] [client 78.111.93.107] File does not exist: /home/web/PMA
[Mon Nov 11 00:49:29 2013] [error] [client 78.111.93.107] File does not exist: /home/web/pma
[Mon Nov 11 00:49:29 2013] [error] [client 78.111.93.107] File does not exist: /home/web/dbadmin
[Mon Nov 11 00:49:29 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sql
[Mon Nov 11 00:49:29 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql
[Mon Nov 11 00:49:30 2013] [error] [client 78.111.93.107] File does not exist: /home/web/myadmin
[Mon Nov 11 00:49:30 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin2
[Mon Nov 11 00:49:30 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin2
[Mon Nov 11 00:49:30 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin-2
[Mon Nov 11 00:49:30 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-my-admin
[Mon Nov 11 00:49:30 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlmanager
[Mon Nov 11 00:49:30 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqlmanager
[Mon Nov 11 00:49:31 2013] [error] [client 78.111.93.107] File does not exist: /home/web/p
[Mon Nov 11 00:49:31 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-myadmin
[Mon Nov 11 00:49:31 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmy-admin
[Mon Nov 11 00:49:31 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webadmin
[Mon Nov 11 00:49:31 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlweb
[Mon Nov 11 00:49:31 2013] [error] [client 78.111.93.107] File does not exist: /home/web/websql
[Mon Nov 11 00:49:31 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webdb
[Mon Nov 11 00:49:32 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqladmin
[Mon Nov 11 00:49:32 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql-admin
[Mon Nov 11 00:50:18 2013] [error] [client 78.111.93.107] Invalid URI in request GET <title>phpMyAdmin HTTP/1.1
[Mon Nov 11 00:50:18 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin
[Mon Nov 11 00:50:18 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin
[Mon Nov 11 00:50:18 2013] [error] [client 78.111.93.107] File does not exist: /home/web/PMA
[Mon Nov 11 00:50:18 2013] [error] [client 78.111.93.107] File does not exist: /home/web/pma
[Mon Nov 11 00:50:18 2013] [error] [client 78.111.93.107] File does not exist: /home/web/dbadmin
[Mon Nov 11 00:50:18 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sql
[Mon Nov 11 00:50:19 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql
[Mon Nov 11 00:50:19 2013] [error] [client 78.111.93.107] File does not exist: /home/web/myadmin
[Mon Nov 11 00:50:19 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin2
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin2
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin-2
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-my-admin
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlmanager
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqlmanager
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/p
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-myadmin
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmy-admin
[Mon Nov 11 00:50:20 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webadmin
[Mon Nov 11 00:50:21 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlweb
[Mon Nov 11 00:50:21 2013] [error] [client 78.111.93.107] File does not exist: /home/web/websql
[Mon Nov 11 00:50:21 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webdb
[Mon Nov 11 00:50:21 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqladmin
[Mon Nov 11 00:50:21 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql-admin
[Mon Nov 11 00:51:46 2013] [error] [client 78.111.93.107] Invalid URI in request GET <title>phpMyAdmin HTTP/1.1
[Mon Nov 11 00:51:46 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin
[Mon Nov 11 00:51:46 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin
[Mon Nov 11 00:51:47 2013] [error] [client 78.111.93.107] File does not exist: /home/web/PMA
[Mon Nov 11 00:51:47 2013] [error] [client 78.111.93.107] File does not exist: /home/web/pma
[Mon Nov 11 00:51:47 2013] [error] [client 78.111.93.107] File does not exist: /home/web/dbadmin
[Mon Nov 11 00:51:47 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sql
[Mon Nov 11 00:51:47 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql
[Mon Nov 11 00:51:47 2013] [error] [client 78.111.93.107] File does not exist: /home/web/myadmin
[Mon Nov 11 00:51:47 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin2
[Mon Nov 11 00:51:48 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin2
[Mon Nov 11 00:51:48 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin-2
[Mon Nov 11 00:51:48 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-my-admin
[Mon Nov 11 00:51:48 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlmanager
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqlmanager
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/p
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-myadmin
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmy-admin
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webadmin
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlweb
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/websql
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webdb
[Mon Nov 11 00:51:49 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqladmin
[Mon Nov 11 00:51:50 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql-admin
[Mon Nov 11 00:55:00 2013] [error] [client 78.111.93.107] Invalid URI in request GET <title>phpMyAdmin HTTP/1.1
[Mon Nov 11 00:55:00 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin
[Mon Nov 11 00:55:00 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin
[Mon Nov 11 00:55:01 2013] [error] [client 78.111.93.107] File does not exist: /home/web/PMA
[Mon Nov 11 00:55:01 2013] [error] [client 78.111.93.107] File does not exist: /home/web/pma
[Mon Nov 11 00:55:01 2013] [error] [client 78.111.93.107] File does not exist: /home/web/dbadmin
[Mon Nov 11 00:55:01 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sql
[Mon Nov 11 00:55:01 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql
[Mon Nov 11 00:55:01 2013] [error] [client 78.111.93.107] File does not exist: /home/web/myadmin
[Mon Nov 11 00:55:01 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin2
[Mon Nov 11 00:55:02 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin2
[Mon Nov 11 00:55:02 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin-2
[Mon Nov 11 00:55:02 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-my-admin
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlmanager
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqlmanager
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/p
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-myadmin
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmy-admin
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webadmin
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlweb
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/websql
[Mon Nov 11 00:55:03 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webdb
[Mon Nov 11 00:55:04 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqladmin
[Mon Nov 11 00:55:04 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql-admin
[Mon Nov 11 01:02:09 2013] [error] [client 78.111.93.107] Invalid URI in request GET <title>phpMyAdmin HTTP/1.1
[Mon Nov 11 01:02:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin
[Mon Nov 11 01:02:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin
[Mon Nov 11 01:02:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/PMA
[Mon Nov 11 01:02:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/pma
[Mon Nov 11 01:02:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/dbadmin
[Mon Nov 11 01:02:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sql
[Mon Nov 11 01:02:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql
[Mon Nov 11 01:02:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/myadmin
[Mon Nov 11 01:02:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin2
[Mon Nov 11 01:02:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin2
[Mon Nov 11 01:02:12 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin-2
[Mon Nov 11 01:02:12 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-my-admin
[Mon Nov 11 01:02:12 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlmanager
[Mon Nov 11 01:02:12 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqlmanager
[Mon Nov 11 01:02:12 2013] [error] [client 78.111.93.107] File does not exist: /home/web/p
[Mon Nov 11 01:02:12 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-myadmin
[Mon Nov 11 01:02:12 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmy-admin
[Mon Nov 11 01:02:12 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webadmin
[Mon Nov 11 01:02:13 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlweb
[Mon Nov 11 01:02:13 2013] [error] [client 78.111.93.107] File does not exist: /home/web/websql
[Mon Nov 11 01:02:13 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webdb
[Mon Nov 11 01:02:13 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqladmin
[Mon Nov 11 01:02:13 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql-admin
[Mon Nov 11 01:09:07 2013] [error] [client 78.111.93.107] Invalid URI in request GET <title>phpMyAdmin HTTP/1.1
[Mon Nov 11 01:09:08 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin
[Mon Nov 11 01:09:08 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin
[Mon Nov 11 01:09:08 2013] [error] [client 78.111.93.107] File does not exist: /home/web/PMA
[Mon Nov 11 01:09:08 2013] [error] [client 78.111.93.107] File does not exist: /home/web/pma
[Mon Nov 11 01:09:08 2013] [error] [client 78.111.93.107] File does not exist: /home/web/dbadmin
[Mon Nov 11 01:09:08 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sql
[Mon Nov 11 01:09:09 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql
[Mon Nov 11 01:09:09 2013] [error] [client 78.111.93.107] File does not exist: /home/web/myadmin
[Mon Nov 11 01:09:09 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmyadmin2
[Mon Nov 11 01:09:09 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin2
[Mon Nov 11 01:09:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpMyAdmin-2
[Mon Nov 11 01:09:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-my-admin
[Mon Nov 11 01:09:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlmanager
[Mon Nov 11 01:09:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqlmanager
[Mon Nov 11 01:09:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/p
[Mon Nov 11 01:09:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/php-myadmin
[Mon Nov 11 01:09:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/phpmy-admin
[Mon Nov 11 01:09:10 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webadmin
[Mon Nov 11 01:09:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/sqlweb
[Mon Nov 11 01:09:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/websql
[Mon Nov 11 01:09:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/webdb
[Mon Nov 11 01:09:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysqladmin
[Mon Nov 11 01:09:11 2013] [error] [client 78.111.93.107] File does not exist: /home/web/mysql-admin
[Mon Nov 11 06:37:23 2013] [error] [client 192.168.101.1] File does not exist: /home/web/favicon.ico
[Mon Nov 11 17:24:34 2013] [error] [client 193.26.131.235] (13)Permission denied: exec of '/usr/lib/cgi-bin/php' failed
[Mon Nov 11 17:24:34 2013] [error] [client 193.26.131.235] Premature end of script headers: php
[Mon Nov 11 17:24:34 2013] [error] [client 193.26.131.235] (13)Permission denied: exec of '/usr/lib/cgi-bin/php5' failed
[Mon Nov 11 17:24:34 2013] [error] [client 193.26.131.235] Premature end of script headers: php5
[Mon Nov 11 17:24:34 2013] [error] [client 193.26.131.235] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Mon Nov 11 17:24:34 2013] [error] [client 193.26.131.235] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Mon Nov 11 17:24:34 2013] [error] [client 193.26.131.235] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Mon Nov 11 19:34:39 2013] [error] [client 173.193.38.234] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Nov 11 20:15:06 2013] [error] [client 98.240.22.137] Invalid method in request \x80w\x01\x03\x01
[Mon Nov 11 20:15:06 2013] [error] [client 98.240.22.137] File does not exist: /home/web/HNAP1, referer: http://94.209.13.13/
[Mon Nov 11 21:16:59 2013] [error] [client 173.193.38.234] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Nov 11 23:03:30 2013] [error] [client 174.120.145.130] (13)Permission denied: exec of '/usr/lib/cgi-bin/php' failed
[Mon Nov 11 23:03:30 2013] [error] [client 174.120.145.130] Premature end of script headers: php
[Mon Nov 11 23:03:30 2013] [error] [client 174.120.145.130] (13)Permission denied: exec of '/usr/lib/cgi-bin/php' failed
[Mon Nov 11 23:03:30 2013] [error] [client 174.120.145.130] Premature end of script headers: php
[Mon Nov 11 23:03:31 2013] [error] [client 174.120.145.130] (13)Permission denied: exec of '/usr/lib/cgi-bin/php5' failed
[Mon Nov 11 23:03:31 2013] [error] [client 174.120.145.130] Premature end of script headers: php5
[Mon Nov 11 23:03:31 2013] [error] [client 174.120.145.130] (13)Permission denied: exec of '/usr/lib/cgi-bin/php5' failed
[Mon Nov 11 23:03:31 2013] [error] [client 174.120.145.130] Premature end of script headers: php5
[Mon Nov 11 23:03:31 2013] [error] [client 174.120.145.130] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Mon Nov 11 23:03:31 2013] [error] [client 174.120.145.130] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Mon Nov 11 23:03:31 2013] [error] [client 174.120.145.130] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Mon Nov 11 23:38:14 2013] [error] [client 94.247.233.50] (13)Permission denied: exec of '/usr/lib/cgi-bin/php' failed
[Mon Nov 11 23:38:14 2013] [error] [client 94.247.233.50] Premature end of script headers: php
[Tue Nov 12 03:47:20 2013] [error] [client 151.236.14.140] script '/home/web/azenv.php' not found or unable to stat
[Tue Nov 12 06:32:15 2013] [error] [client 192.168.101.1] File does not exist: /home/web/favicon.ico
[Tue Nov 12 06:57:22 2013] [error] [client 151.236.14.140] script '/home/web/azenv.php' not found or unable to stat
[Tue Nov 12 13:01:58 2013] [error] [client 94.102.48.168] File does not exist: /home/web/headers
[Tue Nov 12 16:30:43 2013] [error] [client 151.236.14.140] script '/home/web/azenv.php' not found or unable to stat
[Tue Nov 12 20:28:43 2013] [error] [client 151.236.14.140] script '/home/web/azenv.php' not found or unable to stat
[Tue Nov 12 23:06:06 2013] [notice] caught SIGTERM, shutting down
[Wed Nov 13 00:46:13 2013] [error] [client 76.91.21.131] Invalid method in request \x80w\x01\x03\x01
[Wed Nov 13 00:46:14 2013] [error] [client 76.91.21.131] File does not exist: /home/web/HNAP1, referer: http://94.209.13.13/
[Wed Nov 13 00:54:49 2013] [error] [client 98.215.142.2] Invalid method in request \x80w\x01\x03\x01
[Wed Nov 13 00:54:49 2013] [error] [client 98.215.142.2] File does not exist: /home/web/HNAP1, referer: http://94.209.13.13/
[Wed Nov 13 01:59:03 2013] [error] [client 94.247.233.50] Premature end of script headers: php
[Wed Nov 13 03:51:35 2013] [error] [client 151.236.14.140] script '/home/web/azenv.php' not found or unable to stat
[Wed Nov 13 05:20:18 2013] [error] [client 117.79.145.99] File does not exist: /home/web/vtigercrm
[Wed Nov 13 07:35:09 2013] [error] [client 68.229.214.204] Invalid method in request \x80w\x01\x03\x01
[Wed Nov 13 07:35:09 2013] [error] [client 68.229.214.204] File does not exist: /home/web/HNAP1, referer: http://94.209.13.13/
[Wed Nov 13 09:06:30 2013] [error] [client 213.75.129.68] script '/home/web/wp-login.php' not found or unable to stat
[Wed Nov 13 09:06:30 2013] [error] [client 213.75.129.68] File does not exist: /home/web/wp
[Wed Nov 13 09:06:30 2013] [error] [client 213.75.129.68] File does not exist: /home/web/weblog

only port open is WWW (HTTP / HTTPS Ports 80 / 443)

Puma
Linux is like a wigwam - no windows, no gates, apache inside!

gonk
Posts: 93
Joined: 30 May 2012, 01:53

Re: I have been attacked and don't know why.

Post by gonk » 13 Nov 2013, 14:43

Doyou need to have http available externally?
If so, do you need to have it available on the standard ports?
Is your B3 the gateway to the internet or do you have another router that can do port mapping that you connect the B3 WAN-port to?

Gordon
Posts: 1378
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 13 Nov 2013, 14:45

Hi Puma,

Most of these are unrelated to this particular issue. They're attempts to locate web based administration kits that you may have published on your web server. Finding any is just the first step because then they still have to find a valid user name and matching password.

The issue with /cgi-bin/php5 is a lot more serious because it grants instant access to everything that the web server is allowed to see. And that includes sources of php files that contain passwords to back-end databases (possibly containing information about customers that may then be used in fishing messages).

Puma
Posts: 228
Joined: 29 Sep 2008, 06:30

Re: I have been attacked and don't know why.

Post by Puma » 13 Nov 2013, 14:50

Thanks for the answers.
I use the b3 as proxy server, nas, mailserver so yes i use it as gateway.
I know this is less serious but it still makes me anxious.

Puma
Linux is like a wigwam - no windows, no gates, apache inside!

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: I have been attacked and don't know why.

Post by RandomUsername » 13 Nov 2013, 15:12

As long as you don't actually have phpmyadmin installed you're OK. I see daily attempts to access both phpmyadmin and vtigercrm. I've set fail2ban to immediately drop traffic from any IP address that tries to access one of them.

Gordon
Posts: 1378
Joined: 10 Aug 2011, 03:18

Re: I have been attacked and don't know why.

Post by Gordon » 13 Nov 2013, 15:44

Puma wrote:I know this is less serious but it still makes me anxious.
Understandable, but fact is that this just happens and that in most cases there's not much use in blocking the attacker because you're likely to end with a list that contains 99% of all IP addresses.

What I did find though is that 99% (there is that number again) of these attempts will use your public IP address to access the web server, which makes it easy to keep them from finding anything. The only thing you need to do for this is configure the default (virtual) host to contain absolutely nothing that could be of interest to anyone. Which includes not having a cgi-bin path within that default host and that was sufficient for me to be unaffected by this hack even though I have been "visited" several times since mid June. That obviously means that you cannot (should not) use the default bubba host because that is configured as default host also (and you can't have two).

Puma
Posts: 228
Joined: 29 Sep 2008, 06:30

Re: I have been attacked and don't know why.

Post by Puma » 14 Nov 2013, 15:13

Hello Gordon,

The only thing you need to do for this is configure the default (virtual) host to contain absolutely nothing that could be of interest to anyone
Can you explain how to configure this in laymen language? :D

Thanks in advance.

Puma
Linux is like a wigwam - no windows, no gates, apache inside!

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: I have been attacked and don't know why.

Post by Ubi » 14 Nov 2013, 15:42

Not really, but if you do this you should realise you can no longer access the b3 web interface via its ip address. You need a dns service or a winbind that actually works.

Post Reply