[ale] Mind Game for Hackers

[James P. Kinney III]

Welcome to the world of bone-headed windows users who have a bug on
their box and they don't know it. Yes, that's one of the IIS virus's
looking for another machine to infect. It will have no effect on your
apache server other than to fill up your log files.  

You can use a script to scavange the IP's from the offending IIS
machines out of your apache logs and add them to the hosts.deny file and
the DROP table in iptables. I have enclosed the one I wrote for this
task.

A better solutions is to do payload checking on all port 80 traffic. By
blocking the noise at the firewall, it will stop the log file growth and
stop the offenders at the door no matter what IP they are using. I think
the offending packets should be processed in user space to notify the
IIS bozo that they are running an infected machine. As the M$ user is
clearly not maintaining the box properly, it might be best to send the
email notice, with date, time, payload data, to the ISP instead. I'm
working on this part and don't have a script ready yet. I'll post it to
the group when it's done.

To finally aswer your question, a drop rule for the user is unfeasable
since the identifying parameters change everytime they get a new IP from
their ISP. The better solution is the iptables process I outlined above.


On Sat, 2002-01-12 at 02:05, Adrin wrote:
> Since installing Linux on one of my machines I have been able to log
> attacks. And as the hosts.deny file and the iptable DROP grows.  I was
> wondering. Does some thing like the user mask on a user change or is the
> part static?  I would much rather have a DROP rule for that user than his
> dynamic IP.
> 
> A lot of the hits that get labeled as attacks appear to be coming from
> windows machines or someone thinking mine is a windows machine.  I am
> assuming.  Hey I am a newbie.  In the log I get something like:
> [11/Jan/2002:22:30:43 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 307
> "-" "-"
> 
> Maybe I will make a directory and a piss off message now. :) There are more.
> It looks like an IIS attack to me.
> 
> 
> Adrin
> http://haswes.home.mindspring.com
> mailto://haswes@mindspring.com
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 PGP signature