@apache nerds

rikkilake · **Posted:** Tue Nov 30, 2010 4:39 pm

Code:

[Fri Nov 26 07:46:19 2010] [notice] caught SIGTERM, shutting down

jealous?

additionally, any off-hand suggestions as to prevent things like this from happening in the future?

edit: apparently they were proxying from at least ukraine and china judging by the IPs in the access/error logs

Tehra · **Posted:** Wed Dec 01, 2010 12:01 am

rikkilake wrote:

Code:

[Fri Nov 26 07:46:19 2010] [notice] caught SIGTERM, shutting down

jealous?

additionally, any off-hand suggestions as to prevent things like this from happening in the future?

edit: apparently they were proxying from at least ukraine and china judging by the IPs in the access/error logs

That log entry means this

# killall apache

That uses the default kill level of -15, terminate. -9 is the "get out now" one. If you were getting hacked with malicious intent, you'd see SIGSEGV (11), which is segfault. Sigterm's pretty much the nice way of saying "please close". Sighup is the one you send it to reload the configuration files without having to interrupt the "service".

Now, are you going to provide something a bit more indicative of anything you mentioned?

rikkilake · **Posted:** Wed Dec 01, 2010 12:35 am

someone from china had been spending quite some time trying to load pages that didn't exist on my server, mostly things like /var/www/mysql 100 times or /var/www/phpmyadmin

i assumed that message was apaches way of saying, "i c wut u did thar" and closing down--similar to a BSOD

i've since banned the three ips he was using

Tehra · **Posted:** Wed Dec 01, 2010 12:43 am

rikkilake wrote:

someone from china had been spending quite some time trying to load pages that didn't exist on my server, mostly things like /var/www/mysql 100 times or /var/www/phpmyadmin

i assumed that message was apaches way of saying, "i c wut u did thar" and closing down--similar to a BSOD

i've since banned the three ips he was using

if it's a shared server, it'll have a watchdog program to autokill any process eating abnormal resources.

rikkilake · **Posted:** Wed Dec 01, 2010 12:46 am

is there a good one i could apt-get?

Tehra · **Posted:** Wed Dec 01, 2010 1:10 am

rikkilake wrote:

is there a good one i could apt-get?

by program i meant script custom-built to monitor apache processes over a period of time and report, or if running out of control, kill.

I'm tempted to tell you to run "top", but you might get lost in that for a bit, mainly because all it is is a task manager in text mode.

rikkilake · **Posted:** Wed Dec 01, 2010 1:15 am

Tehra wrote:

rikkilake wrote:

is there a good one i could apt-get?

by program i meant script custom-built to monitor apache processes over a period of time and report, or if running out of control, kill.

I'm tempted to tell you to run "top", but you might get lost in that for a bit, mainly because all it is is a task manager in text mode.

eh, i guess i'll do some googling tomorrow as to not demand that you write my script for me

Tehra · **Posted:** Wed Dec 01, 2010 1:19 am

unless you're running 25+ sites on the same machine, that's not something you'd need.

edit: if your server is choking on several requests that are 404'ing, replace the hamster.

i ran hackthepla.net on a pentium 75 with 64mb of RAM, off a cable modem that i managed to keep a static ip on for over 2 years. yes, it ran mysqld, and sendmail, and ftp, and a few eggdrops. oh, and a screen'd bitchx session. it managed to hit the "rollover" value of uptime in the earlier 2.2 kernels.

Quittermike · **Posted:** Wed Dec 01, 2010 1:20 am

I just made all of my development stuff only accessible by localhost only

because fuck that

rikkilake · **Posted:** Wed Dec 01, 2010 1:20 am

Tehra wrote:

unless you're running 25+ sites on the same machine, that's not something you'd need.

only one
but i dont want this to happen again

rikkilake · **Posted:** Wed Dec 01, 2010 1:22 am

Quittermike wrote:

I just made all of my development stuff only accessible by localhost only

because fuck that

the nerd didn't access anything
he tried
but every directory he attempted to pull from didn't even exist

Code:

[Fri Nov 19 17:06:57 2010] [error] [client 91.213.8.43] File does not exist: /var/www/mysql
[Fri Nov 19 17:06:57 2010] [error] [client 91.213.8.43] File does not exist: /var/www/myadmin
[Fri Nov 19 17:06:57 2010] [error] [client 91.213.8.43] File does not exist: /var/www/webadmin
[Fri Nov 19 17:06:58 2010] [error] [client 91.213.8.43] File does not exist: /var/www/sqlweb
[Fri Nov 19 17:06:58 2010] [error] [client 91.213.8.43] File does not exist: /var/www/websql
[Fri Nov 19 17:06:58 2010] [error] [client 91.213.8.43] File does not exist: /var/www/webdb
[Fri Nov 19 17:06:59 2010] [error] [client 91.213.8.43] File does not exist: /var/www/mysqladmin
[Fri Nov 19 17:06:59 2010] [error] [client 91.213.8.43] File does not exist: /var/www/mysql-admin
[Fri Nov 19 17:06:59 2010] [error] [client 91.213.8.43] File does not exist: /var/www/phpmyadmin2
[Fri Nov 19 17:07:00 2010] [error] [client 91.213.8.43] File does not exist: /var/www/phpMyAdmin2
[Fri Nov 19 17:07:00 2010] [error] [client 91.213.8.43] File does not exist: /var/www/phpMyAdmin-2
[Fri Nov 19 17:07:00 2010] [error] [client 91.213.8.43] File does not exist: /var/www/php-my-admin

there's a sample of my error.log page

Tehra · **Posted:** Wed Dec 01, 2010 1:25 am

that's what i get for stopping to smoke a bowl before editing.

Quote:

edit: if your server is choking on several requests that are 404'ing, replace the hamster.

i ran hackthepla.net on a pentium 75 with 64mb of RAM, off a cable modem that i managed to keep a static ip on for over 2 years. yes, it ran mysqld, and sendmail, and ftp, and a few eggdrops. oh, and a screen'd bitchx session. it managed to hit the "rollover" value of uptime in the earlier 2.2 kernels.

rikkilake · **Posted:** Wed Dec 01, 2010 1:26 am

Tehra wrote:

that's what i get for stopping to smoke a bowl before editing.

Quote:

edit: if your server is choking on several requests that are 404'ing, replace the hamster.

i ran hackthepla.net on a pentium 75 with 64mb of RAM, off a cable modem that i managed to keep a static ip on for over 2 years. yes, it ran mysqld, and sendmail, and ftp, and a few eggdrops. oh, and a screen'd bitchx session. it managed to hit the "rollover" value of uptime in the earlier 2.2 kernels.

im running it on a dell dimension 3000 (2.4ghz p4 and 1gb ram)

im also screening bitchx :>

Helig · **Posted:** Wed Dec 01, 2010 8:54 pm

As far as keeping this from happening you probably would be well served to learn how to setup and configure Snort which can both detect and prevent intrusions. Make sure to test your alert thresholds well otherwise you could get dozens of emails from false alarms if you set it up to email you. Just from the very short log snip it probably is just some wannabe running a Metasploit or Nessus scan looking for low hanging fruit that hasn't been properly secured.

Normally these kinds of things aren't a huge worry other than making your logs get rather large (and thus making you ignore them). Since this was aimed at the webserver you might not necessarily want to change the port that apache runs on but if you start getting hits on 22/SSH move it over to like 2200 and the automated scans won't even notice it because they check the common ports and thats about it unless its a more advanced person doing the scan.

rikkilake · **Posted:** Wed Dec 01, 2010 9:02 pm

thanks, i'm reading the snort manual right now

it didn't look anything close to being professional. i mean, if he knew what he was doing, he probably would've gotten in before apache terminated.
although i did start banning ips to keep people out

Code:

username@serverName:~$ sudo iptables -L
[sudo] password for username:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  s43.justhost.in.ua   anywhere
DROP       all  --  58.218.204.110       anywhere
DROP       all  --  221.192.199.49       anywhere
DROP       all  --  58.218.199.147       anywhere
DROP       all  --  baiduspider-119-63-198-32.crawl.baidu.jp  anywhere          
DROP       all  --  58.218.0.0/16        anywhere

hopefully no one in china is actually interested in what i have hosted

Bucket Guild | FUBU BH Forums

@apache nerds

Who is online