Friday, January 25, 2008

Mystery infestation strikes Linux/Apache Web sites

http://www.linux.com/feature/125548

"According to a press release issued earlier this month by Finjan, a security research firm, compromised Web servers are infecting thousands of visitors daily with malware that turns their Windows machines into unwitting bots to do the bidding of an as yet unidentified criminal organization. Security firms ScanSafe and SecureWorks have since added their own takes on the situation, though with varying estimates on the number of sites affected. All reports thus far say the compromised servers are running Linux and Apache."

Monday, January 21, 2008

What's New?

What's new for 2008?

I've quit smoking. The last time I smoked was on the 31st of Dec 2007. I've also enrolled in my company's benefits as a non-smoker (as an incentive and as punishment, as a smoker who has claimed non-smoker status can be disciplined or fired). I've been using smoking cessation aids (ie, Nicoderm and other aids).

Other than that, nothing is new, other than I'm burned out at work. Shiftwork and looking at packets all day (along with customer firewall requests and the semi-management stuff I do) has taken its toll, so my resume is out there and I've gotten some interesting hits. Sadly, most of
it is contract work (which sucks) or requires a clearance (my clearance status is still in some black hole somewhere). Soooo...I'm applying within the company for other positions of interest. I'd like to stay in my field and have completed one assessment 'test'...it blew my mind, along with it being like 60 questions long, essay format. The things I do to get a freekin' job... :)

Anyways, I've a tidbit for you. If anyone has ever perused their web server logs and saw the below:

193.205.4.38 - - [19/Jan/2008:16:31:56 -0500] "HEAD / HTTP/1.0" 200 0
193.205.4.38 - - [19/Jan/2008:16:31:56 -0500] "HEAD / HTTP/1.0" 200 0 "-" "-"
193.205.4.38 - - [19/Jan/2008:16:31:56 -0500] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 500 544
193.205.4.38 - - [19/Jan/2008:16:31:56 -0500] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 500 544 "-" "core-project/1.0"

It looks harmless, eh? Seen this tons of times before? I know I have. Well, take a look at how my Snort setup detected it:

WEB-MISC cross site scripting attempt 1 1 2008-01-19 16:31:56 2008-01-19 16:31:56

Digging deeper:

[ GAAAHHH...the code renders like pure dung when I post! ]

Note that I've disabled the harmful HTML flags and Snort removed the garbage (noted as non-ASCII characters).

And, no, I don't allow any inputting of text on my site, and I also don't allow any scripts to be run. My site is a static site, so I'm safe enough, along with using modsecurity and Snort for blocking of HTTP traffic and detection of badness. I refuse to be a statistic, although my stubbornness limits dynamic content serving.

The script looks like it checked for a live webserver then began the attack, quick-fast. Most people will associate the Frontpage attack as an old attack. The payload of the Frontpage attacks show:

method=put+document%3a4%2e0%2e2%2e4715&service%5fname=&document=%5bdocument%5fname%3dindex.htm%3bmeta%5finfo%3d%5b%5d%5d&put%5foption=overwrite&comment=&keep%5fchecked%5fout=false


I will not pretend I know what all it does. It is attempting to inject data into my server, though. The red flag for me is the 'method=put+document'. Also, there were two of these, happening 24 hours apart (but only one cross-site scripting event). I'll not block the site, as I may actually learn something from recording its attacks (and I can't block the whole internet, either).