next »

[svakanda]

my webserver just went down today, I was still tweaking the maxclients settings, and yesterday I had raised it a couple, so that very well might have pushed it over at some point, but I also find this in my http error_log

Code:

[Sat Jul 11 11:28:31 2009] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Sat Jul 11 11:35:44 2009] [error] [client 124.6.183.222] Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Sat Jul 11 11:37:27 2009] [error] [client 124.6.183.222] Invalid URI in request GET  HTTP/1.1
[Sat Jul 11 14:38:06 2009] [error] [client 216.168.43.234] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sat Jul 11 14:57:28 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Jul 11 14:57:29 2009] [notice] Digest: generating secret for digest authentication ...
[Sat Jul 11 14:57:29 2009] [notice] Digest: done
[Sat Jul 11 14:57:31 2009] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Sat Jul 11 15:08:34 2009] [notice] caught SIGTERM, shutting down
[Sat Jul 11 15:08:34 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Jul 11 15:08:34 2009] [notice] Digest: generating secret for digest authentication ...
[Sat Jul 11 15:08:34 2009] [notice] Digest: done
[Sat Jul 11 15:08:35 2009] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
"/var/log/httpd/error_log" [readonly] 727L, 164722C     

especially the
 

Code:

/w00tw00t.at.ISC.SANS.DFind

makes me nervous.  Does anyone know anything about this?  I installed chkrootkit and ran it post de facto, no issues.
 I am running
centOS 5.3
Apache/2.2.3
mysql  Ver 14.14 Distrib 5.1.35, for redhat-linux-gnu (x86_64) using readline 5.1

here are my iptables settings

Code:

*filter
:INPUT ACCEPT [883:66936]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [761:80564]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Tue Jun  9 17:56:14 2009

I have no FTP services running, my ssh is on a nonstandard port and you can't login with root.
What do you guys think about this?  What else can I do to help protect myself?  Is that weird apache log entry dangerous?  Thanks everyone, I'm looking forward to hearing your input!

[perkiset]

Unless I'm off base, that suexec looks mighty scary to me.

[dirk]

w00tw00t.at.ISC.SANS.DFind is a web vulnerability scanner that has this fingerprint.

More information here:
http://isc.sans.org/diary.html?storyid=900

If you detect such patterns in your log files better block the IPs.

Dirk

[svakanda]

Unless I'm off base, that suexec looks mighty scary to me.

I agreed Perk, however after going back through all my logs, the server does that every time it starts up.  And I rebooted it right after that other thing logged, so in retrospect, I am not so worried.

[svakanda]

luckily, it appears to me, that i just had my maxclients settings totally jacked, and probably when somebody tried to scan our server, it bumped it over and knocked the thing down.  It seems to be in better condition today.  But if anyone has any security suggestions, I'd love to hear them!

J

[vsloathe]

Yeah I would never be worried about a suexec in my logs unless it was preceded (closely together) by some attempts at privilege escalation. No one capable of rooting your box is going to execute a command that tame without first attempting some of the easier routes toward privilege escalation. For instance, I grep my logs often looking for things like "cat /etc/issue".

[svakanda]

nods, i figured.  good to hear though!  the box seems to be fine.