Re: F19: Is this an httpd attack attempt?

Rick Stevens <ricks@xxxxxxxxxxxxxx> · Mon, 3 Mar 2014 17:51:56 -0800

On 03/03/2014 05:40 PM, Dan Thurman issued this missive:
On 03/03/2014 05:11 PM, Dan Thurman wrote:
On 03/03/2014 03:25 PM, Rick Stevens wrote:
On 03/03/2014 02:06 PM, eoconnor25@xxxxxxxxx issued this missive:
What's the best way to avoid/prevent this from happening?...

Since the IP is part of a Turkish /24 network, odds are it's a hack
attempt. If you don't care about servicing Turkey, you could block that
IP space in your firewall. Pertinent information:

inetnum:        185.4.227.0 - 185.4.227.255
netname:        SAYFANET
descr:          Istanbul DC Customer
country:        TR
admin-c:        KSM20-RIPE
tech-c:         KSM20-RIPE
status:         ASSIGNED PA
mnt-by:         ER101-MNT
source:         RIPE # Filtered

("whois 185.4.227.194" will give you the gory details), so add that /24
to your filter list. In the old days:

    iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP

It's difficult to weed out traffic selectively unless you have the
ability to do a deep packet inspection and look at the actual request.
Generally that equipment costs a good deal of $$$$.

----- Reply message -----
From: "Mark Haney" <mhaney@xxxxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: F19: Is this an httpd attack attempt?
Date: Mon, Mar 3, 2014 11:59 am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/03/14 11:42, Dan Thurman wrote:
 >
 > It looks to me like a successful indirect connection?
 >
 > The following is taken from /var/log/httpd/access_log
 >
 > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET
 >
http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA

 >
 >
HTTP/1.1" 200 5264 "-" "-"
 >

It certainly looks that way.  I see several of those kinds of GETs a
day on our web servers.  Not from that particular domain, but similar
types of GETs.

A quick google points to similar GET requests to that domain as far
back as 2011, and the domain itself isn't live, just a placeholder for
parked domain.

- -- Mark Haney
Network/Systems Administrator
Practichem
W: (919) 714-8428
Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s
AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk
q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW
o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx
VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5
hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ=
=nqC7
-----END PGP SIGNATURE-----

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Alternatively, one could add the following IPs to /etc/hosts.deny:

ALL: 85.25.196.141
ALL: 85.25.226.154
ALL: 146.185.239.100
ALL: 185.4.227.194
ALL: 192.99.2.75
[...]

This works if the IPs are static but if IPs are from a pool, dynamic,
or spoofed, then one is out of luck chasing a tiger's tail?

FWIW

Ugh, Apache by default does not use the tcpwrappers
unless recompiled.  Another alternative is to append
the following to /etc/httpd/conf/httpd.conf:

# Blacklist
<Location />
<Limit GET POST PUT>
   order allow,deny
   allow from all
   deny from 85.25.196.141
   deny from 85.25.226.154
   deny from 146.185.239.100
   deny from 185.4.227.194
   deny from 192.99.2.75
</Limit>
</Location>

The "deny" stuff in Apache will still show a machine at your IP
address because the attempt will generate a 401 or 403 error.

I would still recommend using the iptables/firewall thing so the
machine simply disappears from probes using their network. Looking
further at the whois data, that provider actually has a /22 network:

	% Information related to '185.4.224.0/22AS197328'
	route:          185.4.224.0/22

I'd block that whole /22 using the "-j DROP" option to iptables so your
machine doesn't even respond. Better yet, block it at your router if
you can. You really want your machine to disappear so you don't invite
further hack attempts. My firewalls all default to "-j DROP" for
unwanted access.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-        Brain:  The organ with which we think that we think.        -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org