F19: Is this an httpd attack attempt?

Rick Stevens ricks at alldigital.com
Tue Mar 4 01:51:56 UTC 2014 

On 03/03/2014 05:40 PM, Dan Thurman issued this missive:
> On 03/03/2014 05:11 PM, Dan Thurman wrote:
>> On 03/03/2014 03:25 PM, Rick Stevens wrote:
>>> On 03/03/2014 02:06 PM, eoconnor25 at gmail.com issued this missive:
>>>> What's the best way to avoid/prevent this from happening?...
>>>
>>> Since the IP is part of a Turkish /24 network, odds are it's a hack
>>> attempt. If you don't care about servicing Turkey, you could block that
>>> IP space in your firewall. Pertinent information:
>>>
>>> inetnum:        185.4.227.0 - 185.4.227.255
>>> netname:        SAYFANET
>>> descr:          Istanbul DC Customer
>>> country:        TR
>>> admin-c:        KSM20-RIPE
>>> tech-c:         KSM20-RIPE
>>> status:         ASSIGNED PA
>>> mnt-by:         ER101-MNT
>>> source:         RIPE # Filtered
>>>
>>> ("whois 185.4.227.194" will give you the gory details), so add that /24
>>> to your filter list. In the old days:
>>>
>>>     iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP
>>>
>>> It's difficult to weed out traffic selectively unless you have the
>>> ability to do a deep packet inspection and look at the actual request.
>>> Generally that equipment costs a good deal of $$$$.
>>>
>>>> ----- Reply message -----
>>>> From: "Mark Haney" <mhaney at practichem.com>
>>>> To: <users at lists.fedoraproject.org>
>>>> Subject: F19: Is this an httpd attack attempt?
>>>> Date: Mon, Mar 3, 2014 11:59 am
>>>>
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>>
>>>>
>>>> On 03/03/14 11:42, Dan Thurman wrote:
>>>>  >
>>>>  > It looks to me like a successful indirect connection?
>>>>  >
>>>>  > The following is taken from /var/log/httpd/access_log
>>>>  >
>>>>  > 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET
>>>>  >
>>>> http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA
>>>>
>>>>  >
>>>>  >
>>>> HTTP/1.1" 200 5264 "-" "-"
>>>>  >
>>>>
>>>> It certainly looks that way.  I see several of those kinds of GETs a
>>>> day on our web servers.  Not from that particular domain, but similar
>>>> types of GETs.
>>>>
>>>> A quick google points to similar GET requests to that domain as far
>>>> back as 2011, and the domain itself isn't live, just a placeholder for
>>>> parked domain.
>>>>
>>>> - -- Mark Haney
>>>> Network/Systems Administrator
>>>> Practichem
>>>> W: (919) 714-8428
>>>> Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>
>>>> iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s
>>>> AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk
>>>> q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW
>>>> o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx
>>>> VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5
>>>> hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ=
>>>> =nqC7
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> --
>>>> users mailing list
>>>> users at lists.fedoraproject.org
>>>> To unsubscribe or change subscription options:
>>>> https://admin.fedoraproject.org/mailman/listinfo/users
>>>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>>>> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> Have a question? Ask away: http://ask.fedoraproject.org
>>>>
>>>>
>>
>> Alternatively, one could add the following IPs to /etc/hosts.deny:
>>
>> ALL: 85.25.196.141
>> ALL: 85.25.226.154
>> ALL: 146.185.239.100
>> ALL: 185.4.227.194
>> ALL: 192.99.2.75
>> [...]
>>
>> This works if the IPs are static but if IPs are from a pool, dynamic,
>> or spoofed, then one is out of luck chasing a tiger's tail?
>>
>> FWIW
>>
> Ugh, Apache by default does not use the tcpwrappers
> unless recompiled.  Another alternative is to append
> the following to /etc/httpd/conf/httpd.conf:
>
> # Blacklist
> <Location />
> <Limit GET POST PUT>
>    order allow,deny
>    allow from all
>    deny from 85.25.196.141
>    deny from 85.25.226.154
>    deny from 146.185.239.100
>    deny from 185.4.227.194
>    deny from 192.99.2.75
> </Limit>
> </Location>

The "deny" stuff in Apache will still show a machine at your IP
address because the attempt will generate a 401 or 403 error.

I would still recommend using the iptables/firewall thing so the
machine simply disappears from probes using their network. Looking
further at the whois data, that provider actually has a /22 network:

	% Information related to '185.4.224.0/22AS197328'
	route:          185.4.224.0/22

I'd block that whole /22 using the "-j DROP" option to iptables so your
machine doesn't even respond. Better yet, block it at your router if
you can. You really want your machine to disappear so you don't invite
further hack attempts. My firewalls all default to "-j DROP" for
unwanted access.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-        Brain:  The organ with which we think that we think.        -
----------------------------------------------------------------------

More information about the users mailing list