Jump to content

Something Strange Going On On My Server


Jamo
 Share

Recommended Posts

Hi, I was almost accidentally viewing my servers log ie. http://192.168.1.9/server-status?refresh=n

Srv	PID	Acc	M	CPU	SS	Req	Conn	Child	Slot	Client	VHost	Request
0-0	1056	90/396/396	W	0.76	0	0	85.8	0.35	0.35	192.168.1.18	127.0.1.1	GET /server-status?refresh=n HTTP/1.1
1-0	1057	0/305/305	_	0.58	2485	1	0.0	0.27	0.27	101.128.153.201	127.0.1.1	GET / HTTP/1.0
2-0	1058	0/307/307	_	0.56	152	0	0.0	0.27	0.27	87.230.74.46	127.0.1.1	GET /din.aspx?s=00000000&id=0&client=DynGate&p=10000001 HTTP/1.
3-0	1059	0/306/306	_	0.53	2486	0	0.0	0.27	0.27	50.57.93.243	127.0.1.1	HEAD /robots.txt HTTP/1.0
4-0	1060	0/305/305	_	0.52	25	2	0.0	0.27	0.27	192.168.1.18	127.0.1.1	GET /server-status?refresh=n HTTP/1.1
5-0	1249	0/245/245	_	0.46	424	1	0.0	0.21	0.21	74.125.152.80	127.0.1.1	GET /pictures/Webcam.JPG HTTP/1.1

I have dd-wrt router, and server is old dell laptop, which runs turnkey linux'es LAMB server. I have disabled some administrative features, and Im only running apache, and hosting phproxy. Only ports 80 and 443 are forwarded.

nmap host-ip

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Link to comment
Share on other sites

Do you have HTTP return codes for the logs as well? Because it looks like some people are just attempting to connect and look for files that may or may not exist, and they might just be getting 404 not found if they files aren't there. Without return codes, can't really say what is happening, but might just be random searches by bots or people trying to scan a network for vulns.

74.125.152.80 is google, or googel-bot, so if it found this, it had a reason to look there, like a referrer from your own browser to another site running analytics. 50.57.93.243 is a cloud-ips.com server, more than likely someones own website and using it to scan other sites. Possibly even a custom web crawler hosted by cloud-ips. 87.230.74.46 is teamviewer, and if you were using it at the time, that is the server you or someone else was using to connect to your box or from your box to someone elses box. If you don't use Teamviewer, then I would be highly concerned that someone didn't slip in a portable version with hard coded password setup without your knowledge. The last one you listed, 101.128.153.201, is an address in Japan. If you don't know who it is, you can block it in .htaccess, but I think checking the security of your router, VM and host machine goes without saying.

Personally, running a web server live to the internet, is a bit risky. If anything, either set up a VPN to access the web server, or htpasswd the entire thing, using a unique and secure username and password. This way, at most, people would be attempting to brute force their way into the webserver. VPN would probably be the best setup, and make it so you didn't even need phproxy to surf from your home machine, unless of course you had something specific you wanted to serve from the web-server to visitors or friends.

edit: just thought of something else, but if using turnkeys lamb server(lamb or lamp?) does it have myphpadmin or such on it? If so, amke sure it is secured, and change the default passwords for it if it is already locked down. In fact, change all passwords on the VM, because a common mistake is to use a downloadable VM or ISO of a live machine, which has pre loaded passwords. I know the Linux/Wordpress VM I downloaded from Turnkey had preloaded passwords, for wordpress, webmin, phpmyadmin, etc, and I changed them all, as well as added an htpasswd file so no one can reach any of the services running on the machine.

Edited by digip
Link to comment
Share on other sites

Do you have HTTP return codes for the logs as well? Because it looks like some people are just attempting to connect and look for files that may or may not exist, and they might just be getting 404 not found if they files aren't there. Without return codes, can't really say what is happening, but might just be random searches by bots or people trying to scan a network for vulns.

Where is that?

74.125.152.80 is google, or googel-bot, so if it found this, it had a reason to look there, like a referrer from your own browser to another site running analytics. 50.57.93.243 is a cloud-ips.com server, more than likely someones own website and using it to scan other sites. Possibly even a custom web crawler hosted by cloud-ips. 87.230.74.46 is teamviewer, and if you were using it at the time, that is the server you or someone else was using to connect to your box or from your box to someone elses box. If you don't use Teamviewer, then I would be highly concerned that someone didn't slip in a portable version with hard coded password setup without your knowledge. The last one you listed, 101.128.153.201, is an address in Japan. If you don't know who it is, you can block it in .htaccess, but I think checking the security of your router, VM and host machine goes without saying.

Well I have now blocked those ips using IPtables

iptables -A INPUT -s 68.45.116.1 -j DROP

Is that enough, Iv done that on the server, not on the router.

I havent never understood how to use .htaccess...

I have teamviewer in my Desktop pc and in laptops, but not in that "server"

Personally, running a web server live to the internet, is a bit risky. If anything, either set up a VPN to access the web server, or htpasswd the entire thing, using a unique and secure username and password. This way, at most, people would be attempting to brute force their way into the webserver. VPN would probably be the best setup, and make it so you didn't even need phproxy to surf from your home machine, unless of course you had something specific you wanted to serve from the web-server to visitors or friends.

Yea, I know its risky, but I need a unkonown proxy with ssl so I can bypass access restictions. and to get a bit more secure connection from public pc's, like from school...

Im also running pptp vpn. Its no the most secure, but it takes some effort to crack it so its enough for me. And it was easy to setup.

edit: just thought of something else, but if using turnkeys lamb server(lamb or lamp?) does it have myphpadmin or such on it? If so, amke sure it is secured, and change the default passwords for it if it is already locked down. In fact, change all passwords on the VM, because a common mistake is to use a downloadable VM or ISO of a live machine, which has pre loaded passwords. I know the Linux/Wordpress VM I downloaded from Turnkey had preloaded passwords, for wordpress, webmin, phpmyadmin, etc, and I changed them all, as well as added an htpasswd file so no one can reach any of the services running on the machine.

LAMP, I have changed passwords, I have removed phpmyadmin and such.

Its a ISO which asked me to set passwords so no default passwords, like in BT5 VM im running root/toor

and I have also renamed every folder in /var/www, which I dont currently need,

root@lamp /var/www# ls
[b]cgi-bin[/b]12312313245648912454684  css  index.html  index.php.bak  js  [b]phpinfo.php[/b].bak.oihjhusafasibsdjlbui  proxy  xyz[b]image[/b]sxytasdqwerty
root@lamp /var/www# 

css and proxy are folders and index.html aint the apaches default page

Not Found

The requested URL was not found on this server.

Edited by Jarmo
Link to comment
Share on other sites

Usually in an access.log file, you get them in order, the users IP or DNS name, the time stamps, the url requests, then after the URL it says soemthign liek HTTP 200 or HTTP 404, 302, etc. Not sure if the stats you are using are something part of the VM but look in /var/logs or wherever the syslogs are and the apache logs folder. Should have a file called access.log and error.log which correlate to the apache traffic. Depends on the naming convention used though and if they have them turned on.

Blocking individual IP's would be time consuming. You probably get more traffic than you realize, but better to password protect it all together, like an htpasswd file and htaccess setup. You can google on how to set them up. You might already have an .htaccess file on the server to begin with. Its a hidden file(denoted by the . prefixed) so you might not see it in an ls command unless you to ls -a, or view from a gui and have show hidden files on.

edit:by the way, you can use something like http://www.tools.dynamicdrive.com/password/ to generate the codes to plug into htpasswd adn htaccess.

Edited by digip
Link to comment
Share on other sites

Thanks for the link, I just got it running manually, but that will make things even easier in future.

well, now I think I have .htaccess set up correctly. thanks for the tip.

At least now my hxxp://192.168.1.9/server-status?refresh=n seems better, just me connecting to it.

Edited by Jarmo
Link to comment
Share on other sites

Generally I block all IP addresses that originates from the following countries Russia, China and Nigeria. Specifically China, they are very bad and can't tolerate them.

You can use .htaccess as suggested by Digip to add the ip addresses individually or block them by a subnet range, this option would allow you to maintain a short blacklist of bad IP addresses, but the downside of this approach is of course, you could potentially block any legit user from visiting your site.

That is if he/she falls under the same class or range of IP address contained in the .htaccess file. Blocking IP addresses can be an effective option to block bad IP addresses, but can be very hard to manage, once your black list starts getting longer.

Link to comment
Share on other sites

0-0	9970	31/145/145	W	0.59	0	0	35.4	0.13	0.13	192.168.1.18	127.0.1.1	GET /server-status?refresh=n HTTP/1.1
1-0	9971	0/108/108	_	0.36	38215	1	0.0	0.09	0.09	31.44.184.50	127.0.1.1	GET http://allrequestsallowed.com/?PHPSESSID=5gh6ncjh00043YZMWW
2-0	9972	0/203/203	_	0.69	2352	4	0.0	0.18	0.18	192.168.1.18	127.0.1.1	GET /server-status?refresh=n HTTP/1.1
3-0	9973	0/106/106	_	0.37	40034	3	0.0	0.10	0.10	(me from othrer addreass...)	127.0.1.1	GET /proxy/javascript.js HTTP/1.1
4-0	9974	0/76/76	_	0.26	173	2	0.0	0.07	0.07	192.168.1.18	127.0.1.1	GET /favicon.ico HTTP/1.1
5-0	10059	0/106/106	_	0.36	2153	0	0.0	0.10	0.10	88.199.11.66	127.0.1.1	GET /phpMyAdmin/config/config.inc.php?eval=echo%20md5(123); HTT
6-0	10060	0/109/109	_	0.43	173	3	0.0	0.10	0.10	195.236.48.161	127.0.1.1	GET / HTTP/1.1
7-0	10075	0/206/206	_	0.70	2154	0	0.0	0.18	0.18	88.199.11.66	127.0.1.1	GET /phpmyadmin/config/config.inc.php?eval=echo%20md5(123); HTT
8-0	10568	0/102/102	_	0.35	40041	2	0.0	0.09	0.09	195.236.48.161	127.0.1.1	GET /favicon.ico HTTP/1.1

It seems that .htaccess didnt do the trick.

For some reason I cant remove phpmyadmin, well I just renamed phpmyadmin file to something random.

Link to comment
Share on other sites

This is why you need to change yoru rules in htaccess and use an htpasswd file as well, so only you can access the server. The htaccess and htpasswd files need to be in the root most directory, so the rules apply to everything further down the tree. (ie: /var/www/ or /var/www/html depending on how your apache is configured).

Start with using a block list if you want -

#example htaccess blocklist
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*


<Files .htaccess>
order allow,deny
deny from all
</Files>


<Limit GET HEAD PUT POST OPTIONS>
Options -Indexes
order deny,allow
deny from 91.201.66.0/24 #example-subnet-to-block
</Limit>

<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>


RedirectMatch temp ^/phpMyAdmin/$ /
RedirectMatch temp ^/phpmyadmin/$ /

Or alternatively, only allow certain IP addresses to reach it, denying EVERYONE except who you whitelist. This can be problematic, if you are somewhere that you IP changes and you block yourself, but if you can sftp in or ssh in and edit the rules to add your own IP then not an issue, and something I keep putty on a keychain for, so I can remote in and add myself to things like my wordpress htaccess file for when I need to edit the blog -

#example htaccess whitelist
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*


<Files .htaccess>
order allow,deny
deny from all
</Files>


<Limit GET HEAD PUT POST OPTIONS>
Options -Indexes
#deny from all, only allow whitelist addresses
order deny,allow
deny from all
allow from 127.0.0.1 #change 127.0.0.1 to the ip or subnet you want to allow
</Limit>

<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>


RedirectMatch temp ^/phpMyAdmin/$ /
RedirectMatch temp ^/phpmyadmin/$ /

Edited by digip
Link to comment
Share on other sites

This is why you need to change yoru rules in htaccess and use an htpasswd file as well, so only you can access the server. The htaccess and htpasswd files need to be in the root most directory, so the rules apply to everything further down the tree. (ie: /var/www/ or /var/www/html depending on how your apache is configured).

Start with using a block list if you want -

#example htaccess blocklist
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*


<Files .htaccess>
order allow,deny
deny from all
</Files>


<Limit GET HEAD PUT POST OPTIONS>
Options -Indexes
order deny,allow
deny from 91.201.66.0/24 #example-subnet-to-block
</Limit>

<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>


RedirectMatch temp ^/phpMyAdmin/$ /
RedirectMatch temp ^/phpmyadmin/$ /

Well I prefer not to use whitelist, blocklisting seems to be easier in my case.

So should that be included in .htaccess?

now my .htaccess looks like this

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /etc/apache2/htaccess/.htpasswd
AuthGroupFile /dev/null
require valid-user

My server root it /var/www and proxy is in /var/www/proxy

Edited by Jarmo
Link to comment
Share on other sites

Just be sure your htpasswd file is in the path htaccess is pointing to. For obvious reasons, don't post the contents of htpasswd, but test it out by putting a copy of htaccess in /var/www with the code you posted here. It should prompt for a password when trying to access it now, both at the /www stuff and for the proxy url. If it doesn't, you have something pointing to the wrong places. With a passworded setup, you can still add the block list if wanted, but should be safer now, as no one can access it without brute forcing their way in past the password prompt(not that it couldn't be done, but I hope you chose a long, unique user name and password for the prompt).

Link to comment
Share on other sites

Yea, that password setup works well.

So if I also want to have a block list, should it be also in .htaccess?

If I add that code you posted and is below server just says internal server error.

#example htaccess blocklist
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*


<Files .htaccess>
order allow,deny
deny from all
</Files>


<Limit GET HEAD PUT POST OPTIONS>
Options -Indexes
order deny,allow
deny from 91.201.66.0/24 #example-subnet-to-block
</Limit>

<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>


RedirectMatch temp ^/phpMyAdmin/$ /
RedirectMatch temp ^/phpmyadmin/$ /

Link to comment
Share on other sites

Look at the error log files it should give you more clues as to why the server is getting internal error.

Edited by Infiltrator
Link to comment
Share on other sites

Add individual sections 1 at a time, but I have a suspicion it doesn't like the last part of

RedirectMatch temp ^/phpMyAdmin/$ /
RedirectMatch temp ^/phpmyadmin/$ /

and might need

RedirectMatch temp ^/phpMyAdmin/$ /var/www/
RedirectMatch temp ^/phpmyadmin/$ /var/www/

If you could check the logs though and post the error, might shed some light on the issue, but something in the syntax is probably wrong, or even not supported by your version of apache setup. mod_rewrite needs to be enabled for all of that to work though, something I would think would be turned on already, but might not be and could be causing the issue. Chekc the APACHE_MODULES configuration and make sure rewrite is listed. To be sure, create a php file with

<?php phpinfo(); ?>

in it and then open that page on the web server. Search for rewrite and see if its installed or enabled.

By the way, the parts beginning with # signs, are comments. You can remove them the # and everything after it on the same line.

Edited by digip
Link to comment
Share on other sites

.htaccess

IndexIgnore .htaccess #*/.??* *~ *# */HEADER* */README* */_vti*

<Files .htaccess>
order allow,deny
allow from 192.168.1.0/24
deny from all
</Files>

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /etc/apache2/htaccess/.htpasswd
AuthGroupFile /dev/null
require valid-user

And error for that below.

[Sat Jul 30 14:55:41 2011] [alert] [client 192.168.1.100] /var/www/.htaccess: IndexIgnore not allowed here
[Sat Jul 30 14:55:44 2011] [alert] [client 192.168.1.18] /var/www/.htaccess: IndexIgnore not allowed here, referer: http://192.168.1.9/server-status?refresh=y
[Sat Jul 30 14:55:45 2011] [alert] [client 192.168.1.18] /var/www/.htaccess: IndexIgnore not allowed here

##################################################################################################

2nd.htaccess

<Limit GET HEAD PUT POST OPTIONS>
Options -Indexes
order deny,allow
deny from 91.201.66.0/24 #example-subnet-to-block
</Limit>

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /etc/apache2/htaccess/.htpasswd
AuthGroupFile /dev/null
require valid-user

And 2nd error

[Sat Jul 30 14:59:06 2011] [alert] [client 192.168.1.100] /var/www/.htaccess: Options not allowed here

Link to comment
Share on other sites

I got it working, I had to enable mod_rewrite, and edit my httpd.conf,

...

AllowOverride All FileInfo Limit Options Indexes

...

Where I can easily get those Ip addresses that I should block using .htaccess

Link to comment
Share on other sites

Something like http://www.countryipblocks.net/country-blocks/htaccess-deny-format/ would work, but you have to manually add them in the correct syntax between the deny limit area. Use my examples above for the blocklist code, just add a list from their site. You can potentially block wrong places too, but for the most part, you shouldn't have to worry about anything with the htpasswd setup you are using now.

If its local addresses, you need to look at the access.log and error.log. Also, they might not be enabled in the conf, so check to see how many days are kept at a time, if it rotates them, or just continually appends, cause it can fill up the server eventually. Generally, I keep 30 days, then delete anything older than 30 days, so it just rotates continually. I've never had to set that up manually, I do it all through my hosts control panel, but shouldn't be hard to google.

Link to comment
Share on other sites

Well I'v been trying to get country based blocking to work, but suddenly I blocked whole access from lan, my IP's are in 192.168.1.1-192.168.1.255 range. Would this

192.168.0.0/16

include that area.

BTW any good places where I could learn more about those IP areas /16 /21 /24 etc., what they mean etc.

Also I managed to block those IP's this is especially for, IP's like this: 46.30.132.129

Would it be included in one of following IP areas?


###	Country:	BOGONS	
#LAN			
#000	deny	from	192.168.0.0/16
###	Country:	CZECH	REPUBLIC
#000	deny	from	46.30.64.0/21
#000	deny	from	46.30.88.0/21
#000	deny	from	46.30.144.0/21
#000	deny	from	46.30.232.0/21
###	Country:	IRAQ	
#000	deny	from	46.30.224.0/21
###	Country:	ITALY	
#000	deny	from	46.30.168.0/21
#000	deny	from	46.30.216.0/21
#000	deny	from	46.30.248.0/21
###	Country:	NETHERLANDS	
#000	deny	from	46.30.184.0/21
###	Country:	RUSSIAN	FEDERATION
#000	deny	from	46.30.32.0/21
#000	deny	from	46.30.40.0/21
#000	deny	from	46.30.152.0/21
###	Country:	SPAIN	
#000	deny	from	46.30.16.0/21
#000	deny	from	46.30.104.0/21
###	Country:	TURKEY	
###	Country:	UKRAINE	
#000	deny	from	46.30.160.0/21
###	Country:	UNITED	KINGDOM
#000	deny	from	46.30.8.0/21
#000	deny	from	46.30.48.0/21
#000	deny	from	46.30.96.0/21
#000	deny	from	46.30.136.0/21
#000	deny	from	46.30.192.0/21

Link to comment
Share on other sites

192.168.0.0/16 would block anything starting with 192.168.x.x, and you most definitely would be blocking your own lan. Thats a private lan only subnet, and not something you need to be concerned with from the internet. Like I said before, its easier to use a whitelist, vs a blacklist. This way, only addresses or subnets you allow can reach the login prompt.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...