1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Referer spam vs mod_security

Discussion in 'Plesk for Linux - 8.x and Older' started by atessier, Apr 25, 2006.

  1. atessier

    atessier Guest

    0
     
    Hi,

    First thanks to all the persons who posted regarding this issue. I read most of everything in theses forums.

    Still I have an interogation.

    I noticed heavy load on my server this weekend

    btw FC2 Plesk 7.5.4 Goddady vs

    I password protected my webstats directory. I installed mod_security as per gotroot instructions.

    I checked my httpd.conf and the Loadmodule modsecurity.so is in there

    I dowloaded all the rules form got root

    I've created my modsecurity.conf file in etc/httpd/conf.d

    I've restarted apache

    phpinfo is telling me that mod_security is loaded in apache2 handler section.

    As far as I can tell, I did everything ok.

    How come my access_log is still full of ****. About 6000 lines in the last 12 hours.

    Is this normal ? Should my access_log be still crippled by these referer spam attacks ?

    My understanding was that this mod_security module would keep the bad guys out.

    Have I missed something ?

    Thanks

    André
     
  2. wagnerch

    wagnerch Guest

    0
     
    It depends on what the attack is. ModSecurity only deals with known rules, sometimes it is a bit aggressive. It sounds like they are injecting headers into a conact us form. Typically in that scenario you would need to secure the application or write a ModSecurity rule. (It tends to be easier to secure the application or patch it).

    Can you tell us what application they are attacking?
     
  3. atessier

    atessier Guest

    0
     
    Hi,

    Well, to be honest, I dont see what application theyre attacking.

    I dont have any well known web application running on my server. I only have an home made php/mysql application. All other web sites are static html pages.

    here's a sample of my access_log entry

    221.220.217.225 - - [25/Apr/2006:15:51:53 -0400] "GET http://www.lonelycovergirls.com/prxjdg.cgi?hash=20460A4D9B0BADA844B29944005094FEA23DC60958E1 HTTP/1.0" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    218.72.85.80 - - [25/Apr/2006:15:52:02 -0400] "GET http://lolinux.3322.org/sproxy.php HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; ICS)"
    82.197.207.127 - - [25/Apr/2006:15:52:02 -0400] "GET http://ti.tradetracker.nl/351/3506/5806/banner HTTP/1.0" 404 304 "http://www.sportcafe.nl" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

    and so much more (around 15 000 to 20 000 a day)

    Thanks
     
  4. wagnerch

    wagnerch Guest

    0
     
    Did you have the proxy module turned on at one point? All of those requests are for a proxy, but they appeared to fail (404).

    Your server was probably on an open proxy list and everyone and their brother is trying to use it.
     
  5. atessier

    atessier Guest

    0
     
    Here are some info from phpinfo in the loaded module of the apache2handler section.

    mod_proxy proxy_ftp proxy_http proxy_connect mod_fpcgid

    I never turn these things on myself so they must have come from my original godaddy setup.

    Are these module needed for something or should I just turn them off or is it some other proxy stuff outside apache that I have to look at ?

    Thanks very much for the time you spend helping me.

    André
     
  6. wagnerch

    wagnerch Guest

    0
     
    Typically they are not used, and normally they are not on unless you explicitly enable it using "ProxyRequests".

    http://httpd.apache.org/docs/2.0/mod/mod_proxy.html

    I can't say that I am super familiar with mod_proxy, but I can tell you I have the module loaded but do not have ProxyRequests enabled.
     
  7. atessier

    atessier Guest

    0
     
    HI,

    I've checked the link you provided and as you state, if ProxyRequest is on I would be relaying as a proxy for every one on the planet.

    But it is not. I've checked my httpd.conf, all of my files in the conf.d directory.

    I even did a locate to see if i had other httpd.conf. I also checked every vhost.conf and every.htaccess on my server

    There is no ProxyRequest on

    Is there another way to fnd out if I act as an open proxy ?

    Thanks

    André
     
  8. wagnerch

    wagnerch Guest

    0
     
    I don't think you are running an open proxy, because the requests were failing for a 404 (document not found) which is the correct behavior when the proxy is turned off. If your getting 6000 requests a day for documents that look like a URL then for some reason your server *was* on an open proxy list. Possibly the servers IP is rehashed and the previous server on the IP was an open proxy. It is hard to say. I didn't see any online tools that check for proxies, unfortunately.
     
  9. atessier

    atessier Guest

    0
     
    Hi,

    I've runned pxytest http://www.unicom.com/sw/pxytest/

    script on my 3 ip addresses and this utilities says "test complet no proxies found"

    Furthermore, I checked my 3 ip at http://robtex.com and none are listed in their blacklists

    I ran apachetop for 45 minutes and found that around 19% of all request are status 200 OK. Here are some of the request accepted by my server

    127.0.0.1 - - [26/Apr/2006:20:50:03 -0400] "GET /index.html HTTP/1.0" 200 831 "-" "Wget/1.9+cvs-stable (Red Hat modified)"
    218.249.89.195 - - [26/Apr/2006:20:53:14 -0400] "GET http://www.msn.com.cn/ HTTP/1.0" 200 831 "-" "HttpClient"
    219.134.225.72 - - [26/Apr/2006:20:53:39 -0400] "GET http://track.linktech.cn/?m=hexun&a=A100015035&l=00016 HTTP/1.0" 200 831 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    219.134.225.72 - - [26/Apr/2006:20:53:39 -0400] "GET http://www.tqsun.com/def_plesk_logo.gif HTTP/1.0" 200 927 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    219.134.225.72 - - [26/Apr/2006:20:54:45 -0400] "GET http://track.linktech.cn/?m=hexun&a=A100015035&l=00016 HTTP/1.0" 200 831 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    219.134.225.72 - - [26/Apr/2006:20:54:45 -0400] "GET http://www.tqsun.com/def_plesk_logo.gif HTTP/1.0" 200 927 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    219.134.225.72 - - [26/Apr/2006:20:55:00 -0400] "GET http://click.linktech.cn/?m=hexun&a=A100015035&l=00016&u_id= HTTP/1.0" 200 831 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    127.0.0.1 - - [26/Apr/2006:20:55:03 -0400] "GET /index.html HTTP/1.0" 200 831 "-" "Wget/1.9+cvs-stable (Red Hat modified)"
    200.125.18.117 - - [26/Apr/2006:20:57:26 -0400] "GET http://www.yourfilehost.com/ HTTP/1.1" 200 831 "http://www.poligames.com" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322)"
    219.134.225.72 - - [26/Apr/2006:20:57:27 -0400] "GET http://track.linktech.cn/?m=hexun&a=A100015035&l=00016 HTTP/1.0" 200 831 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    219.134.225.72 - - [26/Apr/2006:20:57:30 -0400] "GET http://www.tqsun.com/def_plesk_logo.gif HTTP/1.0" 200 927 "http://www.tqsun.com/hx.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    61.54.135.35 - - [26/Apr/2006:20:59:17 -0400] "GET http://www.yahoo.com/ HTTP/1.1" 200 831 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
    67.11.230.208 - - [26/Apr/2006:20:59:21 -0400] "GET http://www.yahoo.com:80/ HTTP/1.1" 200 831 "-" "Mozilla/3.0 (compatible; Indy Library)"
    65.75.152.120 - - [26/Apr/2006:20:59:59 -0400] "GET http://search.yahoo.com/ HTTP/1.0" 200 831 "-" "Mozilla/4.0"
    65.75.152.120 - - [26/Apr/2006:21:00:00 -0400] "GET http://search.yahoo.com/ HTTP/1.0" 200 831 "-" "Mozilla/4.0"
    127.0.0.1 - - [26/Apr/2006:21:00:06 -0400] "GET /index.html HTTP/1.0" 200 831 "-" "Wget/1.9+cvs-stable (Red Hat modified)"
    196.217.78.142 - - [26/Apr/2006:21:00:31 -0400] "GET http://www.yahoo.com:80/ HTTP/1.1" 200 831 "-" "Mozilla/3.0 (compatible; Indy Library)"
    84.36.15.4 - - [26/Apr/2006:21:02:52 -0400] "GET http://www.google.com:80/ HTTP/1.1" 200 831 "-" "Mozilla/3.0 (compatible; Indy Library)"
    211.156.181.61 - - [26/Apr/2006:21:02:56 -0400] "HEAD http://www.yahoo.com/ HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
    84.36.15.4 - - [26/Apr/2006:21:03:04 -0400] "GET http://www.google.com:80/ HTTP/1.1" 200 831 "-" "Mozilla/3.0 (compatible; Indy Library)"
    200.105.152.107 - - [26/Apr/2006:21:03:47 -0400] "HEAD http://members.ztod.com/ HTTP/1.0" 200 - "-" "Mozilla/5.0 ( Windows; U; Windows NT4.0; FireFox )"

    As you can see it looks like my server accepted a GET request for yahoo.com and someothers.

    If this is a proxy request how come pxytest says that theres no proxies found on my servers ?

    Two lines are bugging me even more than the yahoo. Theses are the one starting with my loopback address 127.0.01. In this line, you can see a Wget to something 1.9/cvs-stable (red-hat modified)

    Could I have been hacked and rootkitted ? I will run RKHunter and let know in the next post.

    If you have any thoughts please share.

    Thanks

    André
     
  10. atessier

    atessier Guest

    0
     
    Well RKHunter found no root kits.

    There is still something strange with my mod_security.

    I have set the SecAuditEngine to On so every things is logged and still I have no audit_log files to be found. It seems that even though mod_security module is loaded, modsecurity.conf is not used.

    Thanks
     
  11. wagnerch

    wagnerch Guest

    0
     
    It seems pretty clear that the server is an open proxy. What is the IP address? I am not familiar with "pxytest", but it may only be checking on the standard proxy port 1080.
     
  12. wagnerch

    wagnerch Guest

    0
     
    Also run ps -fu apache and post the results. It is possible your box is not "rooted", but a domain is "hacked" and applications are running as the apache user.
     
  13. atessier

    atessier Guest

    0
     
    $ ps -fu apache
    UID PID PPID C STIME TTY TIME CMD
    apache 3169 12578 0 16:36 ? 00:00:04 [httpd]
    apache 2275 12578 0 19:35 ? 00:00:05 [httpd]
    apache 16995 12578 0 19:47 ? 00:00:06 [httpd]
    apache 20640 12578 0 20:21 ? 00:00:04 [httpd]
    apache 21158 12578 0 21:06 ? 00:00:00 [httpd]

    Theres is still something weird regarding mod_security. I'm not sure it is properly running. Even though I installed it as suggested on gotroot.com.

    mod_security has an audit_log, but this file does not exist on my server. Even though my modsecurity.conf seems to be well configured and the module appear to be running. I put the SecAuditEngine to On and the debulevel to 9 and I do not have either the audit_log or the debug log. I have restarted apache and no error messages so my conf seems alright. To test furthermore, I have put a typo in the modsecurity.conf and restarted apache with success. SO i'm really wondering if my modsecurity.conf and the rulessets are loaded properly.

    Still investigating. Let me know if the ps output is helpful and if you think of somtehing else.

    Thanks
     
  14. wagnerch

    wagnerch Guest

    0
     
    Nothing running as "apache" that is unusual. This is what I have for modsecurity.conf in /etc/httpd/conf.d:

    #
    # Mod_security module
    #

    LoadModule security_module modules/mod_security.so


    <IfModule mod_security.c>

    # Enable ModSecurity
    SecFilterEngine On

    # Reject requests with status 403
    SecFilterDefaultAction "deny,log,status:403"

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

    # Server masking is optional
    # SecServerSignature "Microsoft-IIS/5.0"

    # Designate a directory for temporary files
    # storage. It is a good idea to change the
    # value below to a private directory, just as
    # an additional measure against race conditions
    SecUploadDir /tmp
    SecUploadKeepFiles Off

    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    # Uncomment below to record responses with unusual statuses
    # SecAuditLogRelevantStatus ^5
    SecAuditLog logs/audit_log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog logs/modsec_debug_log

    # Include user rules
    Include modsecurity.d/*.conf

    </IfModule>
     
  15. atessier

    atessier Guest

    0
     
    Thanks wagnerch,

    I put your modsecurity.conf with two small changes.

    first, I remmed the Loadmodule of mod_security.so since it was done in my httpd.conf.

    second, i replaced the Include modsecurity.d/*.conf to /etc/modsecurity/*.conf (this is where are my rule sets)

    Restarted apache, will let it run all day and post back tonight.

    Since yours is working, could you post a few lines of you audit_log so I can see what it looks like.

    Furthermore, is this audit_log file created by apache when needed or do I have to create it myself ?

    What are the file ownership and permissions for the modsecurity.conf and related rule sets ?

    André
     
  16. wagnerch

    wagnerch Guest

    0
     
    -rw------- 1 root root 4245 Apr 24 20:34 /var/log/httpd/audit_log

    ==97084308==============================
    Request: default 81.91.225.142 - - [23/Apr/2006:07:58:47 --0400] "GET /sumthin HTTP/1.0" 403 284 "-" "-" - "-"
    ----------------------------------------
    GET /sumthin HTTP/1.0
    mod_security-action: 403
    mod_security-message: Access denied with code 403. Pattern match "/sumthin" at REQUEST_URI

    HTTP/1.0 403 Forbidden
    Content-Length: 284
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    --97084308--
     
  17. atessier

    atessier Guest

    0
     
    Hi wagnerch,

    Here are some results.

    First in a previous post you ask if pxytest only tested port 1080.

    Heres the output of the program

    ./pxytest 68.178.153.68Testing addr

    "68.178.153.68" port "3128" proto "http-connect" ... cannot connect
    Testing addr "68.178.153.68" port "8080" proto "http-connect" ... cannot connect
    Testing addr "68.178.153.68" port "8080" proto "http-post" ... cannot connect
    Testing addr "68.178.153.68" port "8081" proto "http-connect" ... cannot connect
    Testing addr "68.178.153.68" port "1080" proto "socks4" ... cannot connect
    Testing addr "68.178.153.68" port "1080" proto "socks5" ... cannot connect
    Testing addr "68.178.153.68" port "23" proto "telnet" ... cannot connect
    Testing addr "68.178.153.68" port "23" proto "cisco" ... cannot connect
    Testing addr "68.178.153.68" port "23" proto "wingate" ... cannot connect
    Testing addr "68.178.153.68" port "6588" proto "http-connect" ... cannot connect
    Testing addr "68.178.153.68" port "1180" proto "socks4" ... cannot connect
    Test complete - no proxies found
     
  18. atessier

    atessier Guest

    0
     
    Now about mod_security,

    I took a look at your modsecurity.conf and notices that you loaded the module in this conf file instead of httpd.conf, So I decided to do the same and the apache refused to start saying that they were errors in the exclude.conf file. Finally I was going somewhere and sure that the conf files were read.

    I then downloaded the latest version of mod_security (I had 1.9dev2) dont know why.
    compiled then adjsuted a few things and restarted apache without errors.

    Now I have an audit_log file that I can monitor. :D

    I ran apachetop for 1 hour and noticed that my 200 status request got down around 2.3% from a big 19% yesterday.

    Still I have this entry in my log that I need to investigate because I dont understand what they mean.

    127.0.0.1 - - [28/Apr/2006:23:50:03 -0400] "GET /index.html HTTP/1.0" 200 831 "-" "Wget/1.9+cvs-stable (Red Hat modified)"

    They come from inside thus the 127.0.0.1 there a GET request for page index.html that deos exist thus the status 200 and the last part "Wget/1.9 ... " that is the part I'm not sure what it means.

    Also another thing that I need to try to regulate. I still get 500 request/ hour which total 12 000/day directly on my ip address. Everything that comes directlly to the ip http / ip is registerd in my access_log. SInce I do not serve any valid pages for the ip address. Could'nt I just tell apache to drop these request ?

    Thanks again for your help
     
  19. wagnerch

    wagnerch Guest

    0
     
    It's not testing port 80 for a proxy, which is where the proxy would be in this case.
     
  20. wagnerch

    wagnerch Guest

    0
     
    This is something on your server that is calling the "wget" command. Check your cron log (/var/log/cron) and see if the access_log time correlates to when cron fired up.
     
Loading...