I was probed! The security worked.Tonight I checked my security logs and found some interesting items. I’m going to show you what they were in the hopes that you can recognize them should you seem them in your logs.
I also recommend http://www.psionic.com/papers/attacks/ as a good place to start if you want to check the security of your site.
Feb 2 17:34:20 ns telnetd: refused connect from ns.cvvm.com Feb 2 17:34:20 ns telnetd: refused connect from ns.cvvm.com
This is output from tcp_wrapper telling us that it refused connection to the cracker. This is good.
Feb 2 17:34:25 ns sendmail: NOQUEUE: Null connection from firstname.lastname@example.org [22.214.171.124] Feb 2 17:34:51 ns sendmail: NOQUEUE: Null connection from email@example.com [126.96.36.199]
Again, tcp_wrapper again. And I’m not sure what this message means but it might be the cracker just wanted to see the sendmail banners. Sendmail prior to 8.9.2 does not disable mail relay by default.
"GET /cgi-bin/phf HTTP/1.0" 404 164 "GET /cgi-bin/Count.cgi HTTP/1.0" 404 170 "GET /cgi-bin/test-cgi HTTP/1.0" 404 169 "GET /cgi-bin/php.cgi HTTP/1.0" 404 168 "GET /cgi-bin/handler HTTP/1.0" 404 168 "GET /cgi-bin/webgais HTTP/1.0" 404 168 "GET /cgi-bin/websendmail HTTP/1.0" 404 172 "GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172 "GET /cgi-bin/faxsurvey HTTP/1.0" 404 170 "GET /cgi-bin/htmlscript HTTP/1.0" 404 171 "GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174 "GET /cgi-bin/perl.exe HTTP/1.0" 404 169 "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 172 "GET /cgi-bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 "GET /cgi-bin/jj HTTP/1.0" 404 163
This represents probes for cgi_bin scripts which contain known exploits. In short, they were looking for holes in the software. They didn’t find any of those programs. httpd-error.log confirms this. If you don’t need a script, delete it.
Do the right thingYour site has been probed. What do you do? You find out what happened, fix it, and make sure it doesn’t happen again. But that’s not all. You should also inform the admins at the site from which the attack was launched. In the above case, it seems as if the cracker had root access to the cvvm.com name server. We admins have to stick together. It is only polite to inform them what happened. It may also be that they are unaware of the compromise. Any information can be useful.
I sent email containing the above details, including the time zone in which these times occurred, to firstname.lastname@example.org. But it bounced. It seems their domain was down. So then I did a whois to find out who to send it to. I used the addressed I found below.
[root@ns:/var/log] # whois cvvm.com Registrant: Cowichan Valley Virtual Mall (CVVM-DOM) 103 - 2700 Beverly St Duncan, BC V9L5C7 CA Domain Name: CVVM.COM Administrative Contact: Goodliffe, M (MG2727) myke@ISLAND.NET 1-250-748-0818 Technical Contact, Zone Contact: Fraser, Tony (TF1661) frasert@ISLANDNET.COM 1-250-245-2984 Billing Contact: Goodliffe, M (MG2727) myke@ISLAND.NET 1-250-748-0818 Record last updated on 11-Jun-98. Database last updated on 31-Jan-99 07:05:37 EST. Domain servers in listed order: NS.CVVM.COM 188.8.131.52 NS.BAREMETAL.COM 184.108.40.206