Manivel: October 2013

Tuesday 29 October 2013

Snort Alert - ZmEu Scanner

Yesterday I was doing my work suddenly i received some alerts on my Snort IDS with Signature. It's like below

#48-(3-699628) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:28:00 91.121.158.56:59362 10.21.1.19:80 TCP
#49-(3-699627) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59179 10.21.1.19:80 TCP
#50-(3-699626) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59010 10.21.1.19:80 TCP
#51-(3-699625) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58725 10.21.1.19:80 TCP
#53-(3-699623) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58563 10.21.1.19:80 TCP

after i searched google regarding ZmEu and found some one try discovering phpMyAdmin security hole. I confirmed my apache access.log also. It is showing some hacker try to hack phpMyAdmin.

91.121.158.56 - - [29/Oct/2013:13:27:58 +0530] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /pma/scripts/setup.php HTTP/1.1" 404 17112 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"

We can block above ZmEu scanner using iptables or fail2ban. Here i am going to use iptables string match.

Iptables rule:

[root@server~]# iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --algo bm --string 'ZmEu' -j DROP

Explanation:-

--dport -----> destination port
--to -----> offset to stop searching
1000 -----> total 1000 bytes
--algo -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
--string -----> Text search pattern (case sensitive)

Save the iptables rule and restart

[root@server~]# service iptables save

[root@server~]# service iptables restart

After you will check the iptables rule. It will show like below

[root@server~]# iptables -nvL

0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 STRING match "ZmEu" ALGO name bm TO 1000

Now I blocked ZmEu using Iptables.....

Wednesday 23 October 2013

Snort Alert - DFind w00tw00t GET-Requests

I received some alerts on my IDS with Signature. It's like below

#632-(3-693403) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 08:51:34 89.46.161.210:30693 10.21.1.19:80 TCP

#706-(3-692963) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 00:21:54 85.214.236.97:64368 10.21.1.19:80 TCP

#707-(3-692918) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 23:34:23 24.172.10.141:4456 10.21.1.19:80 TCP

#726-(3-692857) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 22:23:33 89.46.161.210:21368 10.21.1.19:80 TCP

After i checked all the payload. It is like below

I searched regarding this alert (w00tw00t.at.ISC.SANS.Win32 ) and getting this is one type of vulnerability scanners after i checked my apache access.log . It's like below

[root@server~]# less /var/log/httpd/access_log | grep "GET /w00tw00t.at.ISC.SANS"

89.46.161.210 - - [22/Oct/2013:22:23:33 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"
24.172.10.141 - - [22/Oct/2013:23:34:23 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
85.214.236.97 - - [23/Oct/2013:00:21:54 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
89.46.161.210 - - [23/Oct/2013:08:51:34 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"

The above attempt was unsuccessful because 400 (Bad request) error indicating after I checked my apache error.log also. It is like below

[root@server ~]# less /var/log/httpd/error_log | grep "89.46.161.210"

[Tue Oct 22 22:23:33 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 08:51:34 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 19:08:46 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)

[root@server~]# less /var/log/httpd/error_log | grep "24.172.10.141"

[Tue Oct 22 23:34:23 2013] [error] [client 24.172.10.141] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Above request without hostname. Any HTTP/1.1 request should have host ( like example.com).

Today also i received lot of alert regarding vulnerability scanners. So I decided to drop this type of GET request using IPTABLES.

Iptables rule:

I used string match option.

[root@server~]# iptables -I INPUT -d xx.xx.xx.xx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Explanation:-

-d ------> Destination
xx.xx.xx.xx -----> your server ipaddress
--dport -----> destination port
--to -----> offset to stop searching
70 -----> total 70 bytes
--algo -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
--string -----> Text search pattern (case sensitive)

Save the iptables rule and restart

[root@server~]# service iptables save

[root@server~]# service iptables restart

After you will check the iptables rule. It will show like below

[root@server~]# iptables -nvL

0 0 DROP tcp -- * * 0.0.0.0/0 176.9.7.40 tcp dpt:80 STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70

Now we blocked DFind w00tw00t GET-Requests using Iptables.....

Monday 21 October 2013

Apache (internal dummy connection)

Today i checked my apache log file in my server and found lot of "internal dummy connection". That is like below

[root@server ~]# cat /var/log/httpd/access_log

- - [21/Oct/2013:23:21:14 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:22:21 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:22:49 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:23:51 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:24:53 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:25:10 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:32:32 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:32:34 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:34:05 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:34:06 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
- - [21/Oct/2013:23:34:32 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"

I want to ignore above log from access.log file . So i searched and found solution for "internal dummy connection"

Solution :

I added below lines in "httpd.conf" file

[root@server ~]# vim /etc/httpd/conf/httpd.conf

SetEnvIf Remote_Addr "127\.0\.0\.1" loopback

SetEnvIf Remote_Addr "::1" loopback

SetEnvIf User-Agent ".*internal dummy connection.*" loopback

CustomLog logs/access_log combined env=!loopback

:wq

After i restarted the httpd service

[root@server ~]# /etc/init.d/httpd restart

My issue resolved.....

Thursday 17 October 2013

Snort Alert - Morfeus F Scanner

Today morning i received some alerts on Snort IDS with Signature. It is like below

#2885-(2-579886) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

#2886-(2-579887) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP

#2887-(2-579888) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP

#2888-(2-666456) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP

#2889-(2-666457) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

#2890-(2-666458) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP

#2891-(2-666459) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP

#2892-(2-754607) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP

#2893-(2-754608) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

After that i searched above alert in google and found out they scan websites.I checked my apache access.log also.

[root@snort~]# grep -R "88.190.22.62" /var/log/httpd/access_log

88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /roundcubemail/README HTTP/1.1" 404 15869 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /rc/README HTTP/1.1" 404 15858 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /roundcube/README HTTP/1.1" 404 15865 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /mail/README HTTP/1.1" 404 15860 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /README HTTP/1.1" 404 15855 "-" "Morfeus strikes again."

They have not done anything because status code 404 (Not Found) . I decided to block this type of scanner before they will do something

I bocked Morfeus F Scanner using .htaccess file

Go to website directory and open the ".htaccess " file and add below two lines

RewriteCond %{HTTP_USER_AGENT} ^Morfeus

RewriteRule ^.*$ - [F]

End.....