[ale] Mind Game for Hackers

James P. Kinney III jkinney at localnetsolutions.com
Sat Jan 12 09:20:06 EST 2002 

Sorry, forgot the script. need more coffee...

On Sat, 2002-01-12 at 08:58, James P. Kinney III wrote:
> Welcome to the world of bone-headed windows users who have a bug on
> their box and they don't know it. Yes, that's one of the IIS virus's
> looking for another machine to infect. It will have no effect on your
> apache server other than to fill up your log files.  
> 
> You can use a script to scavange the IP's from the offending IIS
> machines out of your apache logs and add them to the hosts.deny file and
> the DROP table in iptables. I have enclosed the one I wrote for this
> task.
> 
> A better solutions is to do payload checking on all port 80 traffic. By
> blocking the noise at the firewall, it will stop the log file growth and
> stop the offenders at the door no matter what IP they are using. I think
> the offending packets should be processed in user space to notify the
> IIS bozo that they are running an infected machine. As the M$ user is
> clearly not maintaining the box properly, it might be best to send the
> email notice, with date, time, payload data, to the ISP instead. I'm
> working on this part and don't have a script ready yet. I'll post it to
> the group when it's done.
> 
> To finally aswer your question, a drop rule for the user is unfeasable
> since the identifying parameters change everytime they get a new IP from
> their ISP. The better solution is the iptables process I outlined above.
> 
> 
> On Sat, 2002-01-12 at 02:05, Adrin wrote:
> > Since installing Linux on one of my machines I have been able to log
> > attacks. And as the hosts.deny file and the iptable DROP grows.  I was
> > wondering. Does some thing like the user mask on a user change or is the
> > part static?  I would much rather have a DROP rule for that user than his
> > dynamic IP.
> > 
> > A lot of the hits that get labeled as attacks appear to be coming from
> > windows machines or someone thinking mine is a windows machine.  I am
> > assuming.  Hey I am a newbie.  In the log I get something like:
> > [11/Jan/2002:22:30:43 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 307
> > "-" "-"
> > 
> > Maybe I will make a directory and a piss off message now. :) There are more.
> > It looks like an IIS attack to me.
> > 
> > 
> > Adrin
> > http://haswes.home.mindspring.com
> > mailto://haswes@mindspring.com
> > 
> > 
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> > sent to listmaster at ale dot org.
> > 
> -- 
> James P. Kinney III   \Changing the mobile computing world/
> President and COO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./
> 
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 
> 
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 




#!/usr/bin/perl
# This is for extracting the Micro$oft boxes that have been compromised
# and blocking their access to the webserver for several weeks

######################################
#  Copyright Notice
#
#  This program, web-block.pl is 
#  Copyright 2001 
#  Local Net Solutions, LLC
#  4003 Allenwood Way
#  Tucker GA  30084
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
#  The full text of the license can be found online at http://www.gnu.org/licenses/gpl.txt
######################################

######################################
#  Instructions for use
#
#  This program should be copied into a convenient location
#  such as /usr/local/sbin and the owner is root and the mode is 500.
#  As this sript will access an iptables firewall, it must have root priveledges.
#  Create a file /etc/hosts.web.deny. e.g. touch /etc/hosts.web.deny as root.
#  It can also be set to run on a cron job. e.g.
#  */20 * * * * /usr/local/sbin/web-block.pl
#  this will run every 20 minutes. It will only check the the most recent error_log
#
#  If it is run as <path>/web-block.pl all , it will check all the error_logs, 
#  even the older, saved ones, up to error_log.4. This is for allowing aged IP's
#  to no longer be blocked.
#  It is a good idea to add this to the webserver log rotation process. On a RedHat 7.1
#  machine, edit /etc/logrotate.d/apache to look like:
#  /var/log/httpd/error_log {
#    missingok
#    postrotate
#        /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
#        /root/web-block.pl all
#    endscript
#  }
#  Now it is pretty automatic. 
#
#  To Do:
#  add a web-block.pl off argument flag
#  add an external file for exploit strings to search for.
#  be nicer on the firewall and only block the port 80 from the machines.
#  add an automailer to send complaints to the network mangers the offenders are on (yeah, right!).
#
######################################

use strict;

# the file with the data is 
my $log = "/var/log/httpd/error_log";

# old log files add a .i i=1..4

# the place to store the output IP's to block
my $dropfile = "/etc/hosts.web.deny";

# strings to search for in the log file
my @strings = ("winnt", "cmd.exe", "root.exe");

# create a hash of the already blocked IP's

my ($key, %dropped, %filed, %block_these, %blocked, $in, @IN, $logfile, $j);

# Accept args to search all log files
my $log_depth = "0";
my $all = $ARGV[0];
#print "arg = $all\n";
if ($all =~ m/all/){$log_depth = "4"}

%filed = get_filed_hosts();

%block_these = get_hosts_to_block();

%dropped = iptables_firewall_check();

if ($log_depth == 4){
	foreach $key (keys %filed){ # removes old IP's from blacklist
		if ($block_these{$key} !~ "drop"){delete $filed{$key}}
	}
	write_drop_file();
}
else{ # Should handle a restart OK
	foreach $key (keys %filed){ # add all filed IP for blocking.
		if ($block_these{$key} !~ "drop"){$block_these{$key} = "drop"}
	}
	write_drop_file();
}

foreach $key (keys %dropped){
        delete $block_these{$key} #no duplicate filter rules
}

# Do the deed
foreach $key (keys %block_these){
	if ($key =~ m/\d+\.\d+\.\d+\.\d+/){
		`/sbin/iptables -I INPUT -s $key -j DROP`;
	}
}

#################################
##   Subroutines
#################################

sub get_filed_hosts{
	# create a hash of the already blocked IP's
	open (IN, "<$dropfile") || die "Failed to open $dropfile for read\n";
	@IN = <IN>;
	close IN;
	chomp(@IN);
	foreach $in (@IN) {
 	       $filed{$in}="filed";
	}
}

sub write_drop_file{
        my $key;
        open (OUT, ">$dropfile") || die "failed to open $dropfile for write\n";
        foreach $key ( keys %blocked ){
                if ($key =~ m/\d+\.\d+\.\d+\.\d+/){
                        print OUT "$key\n";
                }
        }
        close OUT;
}

sub get_hosts_to_block { # generate list of IP's to block from httpd log files
	# open logfile and stuff into an array for string searching
	my (@temp, $match, $i, %block_these);
	for ($j=0; $j<=$log_depth; $j++){
        	if ($j == 0){$logfile=$log}
        	else {$logfile = $log.".$j"}
		if ( -r $logfile){
			open (IN, "<$logfile") || die "failed to open $logfile for read\n";
			@IN=<IN>;
			chomp(@IN);
			close IN;
		}
		for ($i=0;$i<=$#strings;$i++){
			$match .= $strings[$i];
			if ($i != $#strings) {$match .= "|"}
		}	
		foreach $in (@IN){
			if ($in =~ m/$match/){
				@temp = split( /\s/, $in);
				# $temp[8] has ip address pluss and extra "]" on the end.
				chop($temp['8']);
				$block_these{$temp['8']} = "drop";
			}
		}
	}
	return %block_these;
} #end sub host_block		

sub iptables_firewall_check { #get list of IP's currently blocked
	my (@rules, %temp, @dropped, $IP);
	@rules = `/sbin/iptables -L INPUT -n | grep DROP | grep -v INPUT`;
	chomp(@rules);
	my (@temp);
	foreach my $rule (@rules){
		#print "$rule\n";
		@temp = split (/\s+/, $rule);
		#print "IP=$temp[3]\n";
		if ($temp[3] =~ m/\d+\.\d+\.\d+\.\d+/){
			push (@dropped, $temp[3]);
		}
	}
	foreach $IP (@dropped){
		#print "dropped IP -> $IP\n";
		$temp{$IP} = "FW";
	}
	return %temp;
}

 PGP signature

More information about the Ale mailing list