OXPUS.de

geht das nich so weiter "die Mama ist schon weg" und "der den hebel nicht zieht"

Der den Hebel nicht zieht dort nicht. Aber "Frederik die Mama is weg" und "Frederik, gleich kommen böse Männer, die klauen Dich"

Spielkinder

1129311446 blocked attacks <<<<< WTFFFFFFFFFFFFFFF?????????????????????????????????? ^7

Jetzt hab ich aber mal runtergesetzt LOL

Ich habe die .htaccess-Regeln verschärft. Scheint momantan der Stand im CTracker eingefroren zu sein.

^^ Das hab ich auch bereits probiert, aber irgendwie ohne erfolg.

Also das habe ich (u.a.) im Moment:

Code: Alles auswählen

# prevent access from santy webworm a-e
RewriteCond %{QUERY_STRING} ^(.*).system(.*) [OR] 
RewriteCond %{QUERY_STRING} ^(.*)alert\(document(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)cmd(.*) [OR] 
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
RewriteCond %{QUERY_STRING} ^(.*)SQL_INJECTION(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)union(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)wget\%20
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent pre php 4.3.10 bug
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

# prevent perl user agent (most often used by santy)
RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC]
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

Ich überbiete (allerdings mit einer security.conf)

Code: Alles auswählen

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/apache/audit_log
SecFilterDebugLog /var/log/apache/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:406"

# Prevent OS specific keywords
SecFilter /etc/password
SecFilter /etc/shadow
SecFilter /etc/groups
SecFilter /etc/gshadow

# Prevent path traversal (..) attacks
# SecFilter "\.\./"

# Weaker XSS protection but allows common HTML tags
#SecFilter "< |\n)*script"

# Prevent XSS atacks (HTML/Javascript injection)
#SecFilter "<.|\n)+>"

# Very crude filters to prevent SQL injection attacks
#SecFilter "delete[[:space]+from"
#SecFilter "insert[[:space]+into"
#SecFilter "select.+from"

# Require HTTP_USER_AGENT and HTTP_HOST headers
##SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Require HTTP_USER_AGENT and HTTP_HOST headers
##SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# ---------------- Converted SNORT rules start -----------------
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt
#SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"

# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"

# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"

# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"

# WEB-ATTACKS chown command attempt
SecFilter "/chown"

# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilter "/usr/bin/gcc"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilter "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"
SecFilter "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS traceroute command attempt
# SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"

# WEB-ATTACKS netcat command attempt
#SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
#SecFilter "rm\x20"
#SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"

# WEB-ATTACKS mail command attempt
#SecFilter "mail\x20"

# WEB-ATTACKS /bin/ls| command attempt
#SecFilterSelective THE_REQUEST "/bin/ls\|"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd.conf"

# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd"

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow"

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd.conf"

# WEB-CGI websitepro path access
#SecFilter " /HTTP/1."

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST ".htgroup"

# WEB-PHP wbboard
SecFilterSelective THE_REQUEST "/wbboard/_data.inc.php"

# WEB-PHP php include
# SecFilterSelective THE_REQUEST ".inc.php"

# WEB-CGI /cgi-bin/ access
SecFilterSelective THE_REQUEST "/cgi-bin/" chain
SecFilter "/cgi-bin/ HTTP"

# WEB-CGI /cgi-dos/ access
SecFilterSelective THE_REQUEST "/cgi-dos/" chain
SecFilter "/cgi-dos/ HTTP"

# WEB-CLIENT Outlook EML access
SecFilterSelective THE_REQUEST ".eml"

# WEB-CLIENT XMLHttpRequest attempt
SecFilter "file\://"

# WEB-CLIENT readme.eml download attempt
SecFilterSelective THE_REQUEST "/readme.eml"

# WEB-CLIENT readme.eml autoload attempt
SecFilter "window.open\(\"readme.eml\""
# WEB-CLIENT readme.eml autoload attempt
SecFilter "window.open\(\"readme.eml\""

# WEB-CLIENT Javascript document.domain attempt
SecFilter "document.domain\("

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting attempt
SecFilter "<SCRIPT>"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC weblogic view source attempt
SecFilterSelective THE_REQUEST ".js\x70"

# WEB-MISC Tomcat directory traversal attempt
#SecFilterSelective THE_REQUEST "\x00.jsp"

# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST "\x252ejsp"

# WEB-MISC ftp attempt
SecFilter "ftp.exe"

# WEB-MISC xp_enumdsn attempt
SecFilter "xp_enumdsn"

# WEB-MISC xp_filelist attempt
SecFilter "xp_filelist"

# WEB-MISC xp_availablemedia attempt
SecFilter "xp_availablemedia"

# WEB-MISC xp_cmdshell attempt
SecFilter "xp_cmdshell"

# WEB-MISC nc.exe attempt
SecFilter "nc.exe"

# WEB-MISC xp_regread attempt
SecFilter "xp_regread"

# WEB-MISC xp_regwrite attempt
SecFilter "xp_regwrite"

# WEB-MISC xp_regdeletekey attempt
SecFilter "xp_regdeletekey"

# WEB-MISC .htpasswd access
SecFilter ".htpasswd"

# WEB-MISC amazon 1-click cookie theft
SecFilter "ref\x3Cscript\x20language\x3D\x22Javascript"

# WEB-MISC Allaire JRUN DOS attempt

# WEB-MISC Allaire JRUN DOS attempt
SecFilterSelective THE_REQUEST "servlet/......."

# WEB-MISC ICQ Webfront HTTP DOS
SecFilterSelective THE_REQUEST "\?\?\?\?\?\?\?\?\?\?"

# WEB-MISC http directory traversal
#SecFilter "..\\"

# WEB-MISC ICQ webserver DOS
# SecFilterSelective THE_REQUEST ".html/......"

# WEB-MISC ls%20-l
SecFilter "ls\x20-l"

# WEB-MISC /etc/passwd
SecFilter "/etc/passwd"

# WEB-MISC .htaccess access
SecFilter ".htaccess"

# WEB-MISC .wwwacl access
SecFilterSelective THE_REQUEST ".wwwacl"

# WEB-MISC .wwwacl access
SecFilterSelective THE_REQUEST ".www_acl"

# WEB-MISC cd..
SecFilter "cd\.\."

# WEB-MISC handler attempt
#SecFilterSelective THE_REQUEST "\|"

# WEB-MISC /.... access
#SecFilter "/...."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"
# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC cat%20 access
#SecFilter "cat\x20"

# WEB-MISC Annex Terminal DOS attempt
SecFilterSelective THE_REQUEST "/ping?query="

# WEB-MISC oracle web arbitrary command execution attempt
#SecFilterSelective THE_REQUEST "\?&"
#SecFilterSelective THE_REQUEST "\?&"

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST ".js\x2570"

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST ".j\x2573p"

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST ".\x256Asp"

# WEB-MISC whisker HEAD/./
#SecFilter "HEAD/./"

# WEB-MISC long basic authorization string
SecFilter "Authorization\: Basic "

# WEB-MISC http directory traversal
#SecFilter "../"

# WEB-MISC sadmind worm access
SecFilter "GET x HTTP/1.0"

# WEB-MISC jrun directory browse attempt
SecFilterSelective THE_REQUEST "/\x3f.jsp"

# WEB-MISC mod-plsql administration access
# SecFilterSelective THE_REQUEST "/admin_/"

# WEB-MISC Phorecast remote code execution attempt
SecFilter "includedir="

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a.pl"

# WEB-MISC apache ?M=D directory list attempt
SecFilterSelective THE_REQUEST "/?M=D" log,pass

# WEB-MISC server-info access
SecFilterSelective THE_REQUEST "/server-info"

# WEB-MISC server-status access
SecFilterSelective THE_REQUEST "/server-status"

# WEB-MISC /home/ftp access
SecFilterSelective THE_REQUEST "/home/ftp"

# WEB-MISC /home/www access
# SecFilterSelective THE_REQUEST "/home/www"^
# WEB-MISC /home/www access
# SecFilterSelective THE_REQUEST "/home/www"

# WEB-MISC SecureSite authentication bypass attempt
SecFilter "secure_site, ok"

# WEB-MISC Delegate whois overflow attempt
SecFilter "whois\://" log,pass

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"

# WEB-MISC Tomcat servlet mapping cross site scripting attempt
SecFilterSelective THE_REQUEST "/org.apache."

# WEB-MISC Tomcat TroubleShooter servlet access
SecFilterSelective THE_REQUEST "/examples/servlet/TroubleShooter" log,pass

# WEB-MISC Tomcat SnoopServlet servlet access
SecFilterSelective THE_REQUEST "/examples/servlet/SnoopServlet" log,pass

# WEB-MISC jigsaw dos attempt
SecFilterSelective THE_REQUEST "/servlet/con"

# WEB-MISC Macromedia SiteSpring cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-MISC mailman cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-MISC robot.txt access
SecFilterSelective THE_REQUEST "/robot.txt" pass

# WEB-MISC perl post attempt
SecFilterSelective THE_REQUEST "/perl/" chain
SecFilter "POST"

# WEB-MISC TRACE attempt
# SecFilter "TRACE"

# WEB-MISC mod_gzip_status access
SecFilterSelective THE_REQUEST "/mod_gzip_status"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB[libdir]"

# WEB-PHP PHPLIB remote command attempt
SecFilterSelective THE_REQUEST "/db_mysql.inc"

# WEB-PHP shoutbox.php directory traversal attempt
#SecFilterSelective THE_REQUEST "/shoutbox.php" chain
#SecFilterSelective THE_REQUEST "/shoutbox.php" chain
#SecFilter "../"
</IfModule>

das ist echter schutz (sogar vor traffic & usern

)

Code: Alles auswählen

<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>

@ oxpus
Sieht bei mir genauso aus.

Da der aktuelle wurm all seine Angriffe mittels highlight versucht und durch dem ctracker dieser befehl ja eigentlich nicht mehr gebraucht wird, hatte ich Testweise noch

Code: Alles auswählen

RewriteCond %{QUERY_STRING} ^(.*)highlight(.*) [OR]

drin. Aber das hat komischerweise überhaupt keine wirkung gezeigt.

@ cback
Kannst du das mal näher erläutern?
Das geht doch sicher nur mit root zugriff oder?

@ Titus

// EDIT
Der Wurm wird anscheinend langsam müde. Er versucht es nur noch alle 10 Minuten einmal.

@ cback
Kannst du das mal näher erläutern?
Das geht doch sicher nur mit root zugriff oder?

Japp muss man in den Apachen reinsetzen.

@AmigaLink
hatte das genauso probiert ohne erfolg, aber jetzt hatte ich grad mal wieder nen lichten moment

Code: Alles auswählen

RewriteCond %{QUERY_STRING} ^(.*)highlight=(.*) [OR]

geht

würde hier aber evtl

Code: Alles auswählen

RewriteCond %{QUERY_STRING} /(.*)highlight=([0-9]*) 
RewriteRule (.*) /%1highlight=%2 [L]

empfehlen da man sonst seine mühsam erarbeiteten google-einträge vergessen kann

Könnte mir bitte einer mal sagen, was das ist?

Code: Alles auswählen

23.08.2005, 19:00	82.179.200.2	Mozilla/4.0 	t=171&highlight=\'.system(getenv(http_php)).\'
23.08.2005, 03:52	85.214.16.170	Mozilla/4.0 	t=171&highlight=\'.system(getenv(http_php)).\'

[quote="Twins";p="42242"]
Könnte mir bitte einer mal sagen, was das ist?
[/quote]
schlecht

und im logfile = egal ^b

[quote="Twins - Di 23.Aug, 2005 19:51";p="42242"]Könnte mir bitte einer mal sagen, was das ist?

Code: Alles auswählen

23.08.2005, 19:00	82.179.200.2	Mozilla/4.0 	t=171&highlight=\'.system(getenv(http_php)).\'
23.08.2005, 03:52	85.214.16.170	Mozilla/4.0 	t=171&highlight=\'.system(getenv(http_php)).\'

[/quote]
Ein Angriffsversuch. Solange das im Cracker Tracker steht, ist alles okay...

Dann ist ja gut, danke.Ich werde aber mal in regelmäßigen Abständen neue Einträge von den Logs hier posten, vielleicht findet sich ja was neues...

Öh, nochmal:
Das, was im Log des Cracker Tracker steht, wurde bereits geblockt

Nur, wenn Du etwas verdächtiges im Log des Webservers findest, was nicht im Log des Cracker Tracker steht, wäre es zu posten!

Wo ist der Log des Webservers denn? Vielleicht sehe ich da ja mal rein.

Das frag Deinen Provider. Der muss das wissen.

Eben fand ich das in meinen Log:

Code: Alles auswählen

14.09.2005, 23:42	[LOGIN PROTECTED] - Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.8) Gecko/20050511 Firefox/1.0.4	84.153.82.132

Zwar wurde das geblockt und alles ist O.K, ich wüsste aber dennoch gerne, was das genau ist.

Ein Versuch, ein Login mit falschen Daten zu erreichen...

Und was bedeutet das "Gecko"? Und wie genau finden solche Angriffe eigentlich statt?

[quote="Twins - 9.September 2005, 11:52";p="43847"]Und was bedeutet das "Gecko"? Und wie genau finden solche Angriffe eigentlich statt?[/quote]

Gecko ist die Engine von gewissen Browsern von Mozilla und Netscape. Gehört also zur Browserbezeichnung. Die Angriffe können auf 2 Arten erfolgen:

- Entweder wird versucht ein Login ohne Passwort Hash zu erzwingen
- Oder ein Cookie wird durch einen BruteForcer gefälscht

OXPUS.de

Logfile des CrackerTracker