Tuesday, 29 October 2013

Snort Alert - ZmEu Scanner

Yesterday I was doing my work suddenly i received some alerts on my Snort IDS with Signature. It's like below

 #48-(3-699628) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:28:00 91.121.158.56:59362 10.21.1.19:80 TCP
#49-(3-699627) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59179 10.21.1.19:80 TCP
#50-(3-699626) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59010 10.21.1.19:80 TCP
#51-(3-699625) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58725 10.21.1.19:80 TCP
#53-(3-699623) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58563 10.21.1.19:80 TCP



after i searched google regarding ZmEu and found some one try discovering phpMyAdmin security hole. I confirmed my apache access.log also. It is showing some hacker try to hack phpMyAdmin.


91.121.158.56 - - [29/Oct/2013:13:27:58 +0530] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /pma/scripts/setup.php HTTP/1.1" 404 17112 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"

We can block above ZmEu scanner using iptables or fail2ban. Here i am going to use iptables string match.

Iptables rule:


[root@server~]# iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --algo bm --string 'ZmEu' -j DROP

Explanation:-

     
                --dport   -----> destination port
                     --to   -----> offset to stop searching
                      1000   -----> total 1000 bytes
                 --algo   -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
                --string  -----> Text search pattern (case sensitive)


Save the iptables rule and restart

[root@server~]# service iptables save
[root@server~]# service iptables restart

After you will check the iptables rule. It will show like below

[root@server~]#  iptables -nvL

   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:80 STRING match "ZmEu" ALGO name bm TO 1000


Now I blocked ZmEu using Iptables.....

Wednesday, 23 October 2013

Snort Alert - DFind w00tw00t GET-Requests

I received some alerts on my IDS with Signature. It's like below


        #632-(3-693403) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 08:51:34 89.46.161.210:30693 10.21.1.19:80 TCP

       #706-(3-692963) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 00:21:54 85.214.236.97:64368 10.21.1.19:80 TCP

#707-(3-692918) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 23:34:23 24.172.10.141:4456 10.21.1.19:80 TCP

#726-(3-692857) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 22:23:33 89.46.161.210:21368 10.21.1.19:80 TCP



After i checked all the payload. It is like below



I searched regarding this alert (w00tw00t.at.ISC.SANS.Win32 ) and getting this is one type of vulnerability scanners after i checked my apache access.log . It's like below

[root@server~]# less /var/log/httpd/access_log | grep "GET /w00tw00t.at.ISC.SANS"


89.46.161.210 - - [22/Oct/2013:22:23:33 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"
24.172.10.141 - - [22/Oct/2013:23:34:23 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
85.214.236.97 - - [23/Oct/2013:00:21:54 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
89.46.161.210 - - [23/Oct/2013:08:51:34 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"

The above attempt was unsuccessful because 400 (Bad request) error indicating after I checked my apache error.log also. It is like below


[root@server ~]# less /var/log/httpd/error_log | grep "89.46.161.210"


[Tue Oct 22 22:23:33 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 08:51:34 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 19:08:46 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)

[root@server~]# less /var/log/httpd/error_log | grep "24.172.10.141"

[Tue Oct 22 23:34:23 2013] [error] [client 24.172.10.141] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)


 Above request without hostname.  Any HTTP/1.1 request should have host ( like example.com).

Today also i received lot of alert regarding  vulnerability scanners. So I decided to drop this type of GET request using IPTABLES.

Iptables rule:

I used string match option.

[root@server~]# iptables -I INPUT -d xx.xx.xx.xx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Explanation:-

       
                       -d   ------> Destination
        xx.xx.xx.xx   -----> your server ipaddress
                --dport   -----> destination port
                     --to   -----> offset to stop searching
                      70   -----> total 70 bytes
                 --algo   -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
                --string  -----> Text search pattern (case sensitive)


Save the iptables rule and restart

[root@server~]# service iptables save
[root@server~]# service iptables restart

After you will check the iptables rule. It will show like below

[root@server~]#  iptables -nvL

   0     0 DROP       tcp  --  *      *       0.0.0.0/0            176.9.7.40          tcp dpt:80 STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70


Now we blocked DFind w00tw00t GET-Requests using Iptables.....

Monday, 21 October 2013

Apache (internal dummy connection)

Today i checked my apache log file in my server and  found lot of  "internal dummy connection". That is like below

          [root@server ~]# cat /var/log/httpd/access_log


 - - [21/Oct/2013:23:21:14 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:22:21 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:22:49 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:23:51 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:24:53 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:25:10 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:32:32 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:32:34 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:34:05 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:34:06 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:34:32 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"


I want to ignore above log from access.log file . So i searched and found solution for "internal dummy connection"

Solution :


    I added below lines in "httpd.conf" file

             [root@server ~]# vim /etc/httpd/conf/httpd.conf

                          SetEnvIf Remote_Addr "127\.0\.0\.1" loopback
                          SetEnvIf Remote_Addr "::1" loopback
                          SetEnvIf User-Agent ".*internal dummy connection.*" loopback
                          CustomLog logs/access_log combined env=!loopback

              :wq

     After i restarted  the httpd service

            [root@server ~]# /etc/init.d/httpd restart

My issue resolved.....


Thursday, 17 October 2013

Snort Alert - Morfeus F Scanner

Today morning i received some alerts on Snort IDS with Signature. It is like below



#2885-(2-579886) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

#2886-(2-579887) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP

#2887-(2-579888) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP

#2888-(2-666456) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP

#2889-(2-666457) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

#2890-(2-666458) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP

#2891-(2-666459) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP

#2892-(2-754607) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP

#2893-(2-754608) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP


After that i searched above alert in google and found out they scan websites.I checked my apache access.log  also.


[root@snort~]# grep -R "88.190.22.62" /var/log/httpd/access_log 



88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /roundcubemail/README HTTP/1.1" 404 15869 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /rc/README HTTP/1.1" 404 15858 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /roundcube/README HTTP/1.1" 404 15865 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /mail/README HTTP/1.1" 404 15860 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /README HTTP/1.1" 404 15855 "-" "Morfeus strikes again."


They have not done anything because status code 404 (Not Found) . I decided to block this type of scanner before they will do something 

I bocked Morfeus F Scanner using .htaccess file

Go to website directory and open the ".htaccess " file and  add below two lines

             RewriteCond %{HTTP_USER_AGENT} ^Morfeus
             RewriteRule ^.*$ - [F]

End.....