Security – Page 5 – SYSMGR in the attic

1-May-2008

01-May-2008

Mail stastistics for April

Total messages : 4150 = 100.0 o/o DNS Blacklisted : 2991 = 72.0 o/o (Files: 30) Relay attempts : 50 = 1.2 o/o (Files: 23) Processed by PMAS : 1109 = 26.7 o/o (Files: 30) Discarded : 361 = 32.5 o/o (processed), 8.6 o/o (all) Quarantained : 456 = 41.1 o/o (processed), 10.9 o/o (all) Delivered : 292 = 26.3 o/o (processed), 7.0 o/o (all)

8 slipped the filter and were rejected by the SMTP itself, and only one survived and showed up. No unexpected false negatives – there were a few but these were new subscriptions and these could be expected.

As usual, logfiles have been archived.

Checking the logs
In the webserver logs, last weeks log contained 235 lines (out of 5750) containing “rejected requestst” – llocations that are probed and do not exist, exploiting product weaknesses. There have been just two attempts to test if the system could be breached or abused over PHP code. Otherwise the same w00tw00t rubble and proxy links that usually show up.

I also checked login failures that I cannot explain. That is: I know when I ran into exhausted passwords, and most of these come from the local network and these can be ignored. This is the ANALYZE/AUDIT output, I left out the lines I can explain. Most of the ones I found in the webserver and FTP logs already.

Nothing new. Using usernames like “Adminstrator” (what won’t wok anyway because it’s over 12 characters in size) show the expected target machine. No way, of course. And systems where “Oracle”, “Postgres” or “Mysql” can hardly be taken serious. Can they? (If so, that sysadmin needs at least an education in basic security before he’s allowed to access the system again – if at all)

16-Apr-200816-Apr-2008

16-Apr-2008

Webserver message
Yestarday’s Operaror.log contains a weird message I never saw before:

%%%%%%%%%%% OPCOM 15-APR-2008 19:50:14.68 %%%%%%%%%%% Message from user HTTP$SERVER on DIANA Process HTTPd:80 reports %HTTPD-W-NOTICED, REQUEST:3977, REQUEST_UNKNOWN_FIELDS_MAX exceeded

so I checked the server log, and it looks like an attempt to store information into the MySQL database:

%HTTPD-W-NOTICED, 15-APR-2008 19:50:14, REQUEST:3977, REQUEST_UNKNOWN_FIELDS_MAX exceeded -NOTICED-I-SERVICE, http://www.grootersnet.nl:80 -NOTICED-I-CLIENT, 64.157.224.124 -NOTICED-I-URI, GET (1 bytes) / -NOTICED-I-RXTX, err:0/0 raw:4676/0 net:4676/0 %HTTPD-I-HEADER, 15-APR-2008 19:50:14, 64.157.224.124, 4676 bytes \GET / HTTP/1.0 Host: www.grootersnet.nl Accept: text/plain, text/html, image/jpeg, image/gif, application/octet-stream, application/x-javascript, text/javascript, text/xml User-Agent: Mozilla/4.0 (compatible; AvantGo 6.0; FreeBSD) Accept-Language: en-us, en;q=0.8, *;q=0.7 X-AvantGo-DeviceProcessor: 0x0016 Referer: http://ma.tt/2008/04/securityfocus-sql-injection-bogus/ X-AvantGo-Version: 6.5.216 X-AvantGo-ColorDepth: MTY= X-AvantGo-ClientLanguage: en_US X-AvantGo-Browser: AvantGo X-AvantGo-ClientCharset: ISO 8859-1

This is just the start of the file – This is the whole message.

Alas, the online log – the part that is visibla at the moment – starts well after 21:00 so further investigation must wait.

I haven’t seen a mail message so I’ll assume it either failed (it looks like it), or the log message itself should be the warning (not nice). Or it has indeed been abn attempt to gain access without permission. In that case, I’ll have enough ammunition to take action 😉

UPDATE
There is nothing to be found in any of the access logs either, but one line:
$ set def ht_root:[log] $ sea *.log 64.157.224.124


******************************

HT_ROOT:[LOG]WWW_80_20080414_ACCESS.LOG;1

64.157.224.124 - - [15/Apr/2008:19:50:14 +0100] "GET / HTTP/1.0" 200 7729

and the URL is the same as shown in the server log, – same time as well.
I checked the referring URL; this is a WordPress developer’s blog entry on the subject. Probably it was one of the links on that page that introduced the request. It won’t do any harm on the home page anyway – it’s not a WordPress blog (nor PHP at all….). It might be someone read my comment and tried – but in that case there should be different referrer.
Anyway, perhaps it’s better to upgrade them all to 2.5…

12-Mar-2008

OpenVMS? Is it like Windows? or Linux?

Some seem think so, anyway. They know only Windows, some perhaps some Linux as well. Here’s the proof from the FTP logfile:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 202.102.170.171 at 9-MAR-2008 03:21:20.68 %TCPIP-E-FTP_LOGFAL, remote interactive login failure Administrator -TCPIP-I-FTP_NODE, client host name: 202.102.170.171 -LOGIN-F-NOSUCHUSER, no such user

and 9 more. Someone else is even more stubborn:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 64.31.150.241 at 9-MAR-2008 12:27:24.84 %TCPIP-E-FTP_LOGFAL, remote interactive login failure Administrator -TCPIP-I-FTP_NODE, client host name: 64.31.150.241 -LOGIN-F-NOSUCHUSER, no such user

and tries 17 more times.
To no avail of course 😀

Stupid scripts that do not check for return status. Dumb users (well, what would you expect…)

Someone else tried both – again some stupid script kiddy that has no clue whatsoever. And again, a bad scripts as well, since it continues to probe within 6 seconds regardless errors (I took out part that’s equal to all)

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from dslb-088-065-062-223.pools.arcor-ip.net at 11-MAR-2008 03:20:14.23 %TCPIP-I-FTP_NODE, client host name: dslb-088-065-062-223.pools.arcor-ip.net %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: /pub/ %TCPIP-I-FTP_CHINFO, TCPIP$FTPC00042: Failed to set default directory %SYSTEM-W-BADIRECTORY, bad directory file format


%TCPIP-I-FTP_OBJ, object: /public/incoming/

%TCPIP-I-FTP_OBJ, object: /pub/incoming/

%TCPIP-I-FTP_OBJ, object: /incoming/

%TCPIP-I-FTP_OBJ, object: /upload/

%TCPIP-I-FTP_OBJ, object: /_vti_pvt/

%TCPIP-I-FTP_OBJ, object: /_vti_txt/

%TCPIP-I-FTP_OBJ, object: /_vti_log/

%TCPIP-I-FTP_OBJ, object: /wwwroot/

%TCPIP-I-FTP_OBJ, object: /anonymous/

%TCPIP-I-FTP_OBJ, object: /public/

%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.080311032002p] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC00042: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

This was signaled in OPERATOR.LOG so it attracted my attention:

%%%%%%%%%%% OPCOM 11-MAR-2008 03:20:15.45 %%%%%%%%%%% Message from user TCPIP$FTP on DIANA User Name: anonymous Source: dslb-088-065-062-223.pools.arcor-ip.net Status: NOPRIV--File access violation Object: WEB_DISK2:[public.anonymous.080311032002p]

and it went on probing:

%TCPIP-I-FTP_OBJ, object: /outgoing/ %TCPIP-I-FTP_OBJ, object: /temp/ %TCPIP-I-FTP_OBJ, object: /tmp/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /anonymous/incoming/ %TCPIP-I-FTP_OBJ, object: /mailroot/ %TCPIP-I-FTP_OBJ, object: /ftproot/ %TCPIP-I-FTP_OBJ, object: /anonymous/pub/ %TCPIP-I-FTP_OBJ, object: /anonymous/public/ %TCPIP-I-FTP_OBJ, object: /_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /images/ %TCPIP-I-FTP_OBJ, object: /_private/ %TCPIP-I-FTP_OBJ, object: /cgi-bin/ %TCPIP-I-FTP_OBJ, object: /usr/ %TCPIP-I-FTP_OBJ, object: /usr/incoming/ %TCPIP-I-FTP_OBJ, object: /home/

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from dslb-088-065-062-223.pools.arcor-ip.net at 11-MAR-2008 03:20:16.21

31-Dec-200731-Dec-2007

An honest hacker

Found this in operator.log:

%%%%%%%%%%% OPCOM 29-DEC-2007 21:23:47.65 %%%%%%%%%%% Message from user TCPIP$FTP on DIANA User Name: anonymous Source: goldzulu.takethishost.net Status: NOPRIV -- File access violation Object: WEB_DISK2:[public.anonymous.test]

FTP log shows he made just one attempt and left:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from goldzulu.takethishost.net at 29-DEC-2007 21:23:46.40 %TCPIP-I-FTP_NODE, client host name: goldzulu.takethishost.net %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.test] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC00036: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from goldzulu.takethishost.net at 29-DEC-2007 21:23:47.81

Mind the domain name: I would not expect such honesty on the intentions from a malicious user!
Believe it or not: the node and domain leads to an address in the US, and dig gave this info on the host:

$ dig goldzulu.takethishost.net

; < <>> DiG 9.3.1 < <>> goldzulu.takethishost.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 54539 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 ;; QUESTION SECTION: ;goldzulu.takethishost.net. IN A ;; ANSWER SECTION: goldzulu.takethishost.net. 900 IN A 66.98.228.61 ;; AUTHORITY SECTION: takethishost.net. 14400 IN NS ns1.takethishost.net. takethishost.net. 14400 IN NS ns2.takethishost.net. takethishost.net. 14400 IN NS ns3.takethishost.net. ;; ADDITIONAL SECTION: ns3.takethishost.net. 14400 IN A 209.85.25.142 ;; Query time: 796 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 31 16:23:23 2007 ;; MSG SIZE rcvd: 129

and on the address:

$ dig -x 66.98.228.61

; < <>> DiG 9.3.1 < <>> -x 66.98.228.61 ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 8305 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;61.228.98.66.in-addr.arpa. IN PTR ;; ANSWER SECTION: 61.228.98.66.in-addr.arpa. 86400 IN PTR goldzulu.takethishost.net. ;; AUTHORITY SECTION: 228.98.66.in-addr.arpa. 259200 IN NS ns1.ev1servers.net. 228.98.66.in-addr.arpa. 259200 IN NS ns2.ev1servers.net. ;; ADDITIONAL SECTION: ns1.ev1servers.net. 172800 IN A 207.218.245.135 ns2.ev1servers.net. 172800 IN A 207.218.247.135 ;; Query time: 2718 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 31 16:20:18 2007 ;; MSG SIZE rcvd: 161

WHOIS gave on the domain:

Whois Server Version 1.3


Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net

for detailed information.

Domain Name: TAKETHISHOST.NET Registrar: TUCOWS INC. Whois Server: whois.tucows.com Referral URL: http://domainhelp.opensrs.net Name Server: NS1.TAKETHISHOST.NET Name Server: NS2.TAKETHISHOST.NET Status: ok Updated Date: 03-jan-2007 Creation Date: 15-jan-2004 Expiration Date: 15-jan-2008

so it will expire within a few weeks. Probably hijacked? or deliberately setup for the porpose some time ago? Who knows..

1-Dec-20073-Dec-2007

01-Dec-2007

Mail statistics of November
PMAS statictics and logfiles show for November:

Total messages : 3803 Blacklisted : 2882 = 76% (Avg 96 /day) Refused relay : 208 = 3% (Avg 3.6 /day) ----- Checked : 812 = 21% (Avg 27 /day) Filtered : 453 = 12% (Avg 15/day ) ----- VALID 360 = 9% (Avg 12 /day)

In other words: 90% is JUNK

May 2024
M	T	W	T	F	S	S
« Nov
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31