tomhudson's Journal: Trapping Hackers

I was looking throught the server logs on my machine, and I notice that n00bs are trying to have some fun, so I figured, why not have some fun back?

Rather than just log their crap, why not let them know that they've been caught and also give them the ip addresses of other n00bs, so they can play elsewhere ...

So here is a link to a quick page I threw up this evening so you can download the files and have fun.

Once we've got it running on a bunch of servers, I'll post code to automatically email abuse@your_isp to complain.

Enjoy :-)

worms

[Fishstick]

still totally amazes me that there are _still_ people running infected machines that don't know, don't care.

Nimbda Worm / Virus: What Are Cmd.Exe, Readme.Eml, Readme.Exe, Root.Exe ? [thesitewizard.com]


If you are running your site on an Apache server, you might still want to take some action to avoid having to pay a huge bill on bandwidth costs at the end of the month to foot the Nimbda worm attacks.

If you don't know what I mean, telnet to your web server, and run the following command on your logs:
grep "cmd\.exe" your-l

Re:worms

[tomhudson]

I figure if enough people set up boxes that can actively track this (instead of just dropping it), and email abuse@whatever, they won't have a choice but to do something ... especially if the notification process is automated.

Imagine the poor schmuck working at the isp who checks his email and finds 5000 complaints from 500 different servers complaining about 20 different customers. Every day. Until they shut the offenders down.

To do this successfully, we'd need a decent number of hosts running.

Re:worms

[Fishstick]

true, but I think my point was that these weren't deliberate crack attacks, but unknowingly infected window machines.

My experience with the ISPs I corresponded with is they would do nothing as this did not violate acceptible use policy.

In fact, most of the IPs came from the same Comcast subnet that I was on -- customer support asked me if these were 'intrusions' affecting my computer. Honestly, it was more of a curiosity than a real nuisance, and not really affecting me, so I gave up.

Possibly if lots of

Re:worms

[Fishstick]

researching this a bit again as I turned my Apache server at home back on from its long sleep and started looking at the logs.

Found this interesting thread:

http://forums.macosxhints.com/showthread.php?t= 2 23 71

One poster had a simple, elegant solution:

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (

Re:worms

[tomhudson]

If you read what I posted on geocities, I give credit to the original poster, (I'm using a similar mod_rewrite file).

However, his solution doesn't work properly because of the way that different platforms handle slashes and backslashes. That's why I use [\|/] instead of \/, which only matches a forward slash.

Also, redirecting to microcrap isn't the real solution - they'll just ignore it. Sending email to the ISP is more likely to succeed, especially since these attacks are not necessarily all due to

Re:worms

[Fishstick]

woops -- I had skimmed through your page but obviously didn't pick up the reference to macosxhints

good one, Jeff -- point out something he's already seen :o}

You've obviously given this far more though than I have, your solution is very interesting. I have to admit though that I still doubt most ISPs would do dick about it.

Cheers.

Re:worms

[tomhudson]

Maybe if they're approached properly ... they might run it themselves instead of, or in association with, more complicated monitoring solutions that costg $$$ and time.

... with their own database of current customer ips to email addresses, they could automatically email their customers and say "hey, clean up your machine and/or your act".

When I find some time, I'm going to suggestg it to tech support for our offices' ISP - once you get past the first level "techs", a LOT of them are linux guys.

Ever heard of...

[bot24]

DShield? I stuck two Python scripts(get logs from router and send logs to DShield) together and launched it from a shell script in an infinate loop. Run it from an init script on an always on machine.
My web server server checks the log every hour and sends new entries off to DShield by E-Mail. It will crash if the local network is down, so it will relaunch and try again(my router is directly connected to the server, so this is rare).
Every night I get a log of the blocked packets that were received by DS

Re:Ever heard of...

[tomhudson]

Looks interesting ...

dumb question

[elmegil]

Looks like an interesting script, I'll see about implementing it myself.

My question is, why does my webserver (this is a personal site at the end of my DSL connection) keep getting requests for "http://slashdot.org/ok.txt" and "http://developers.slashdot.org/ok.txt" ?? Anyone have any clues?

Re:dumb question

[Fishstick]

That's really strange, never heard of anything like that.

Care to post an example? I'm curious to see how this came in. ok.txt is apparently an actual document served by slashdot.org, but I can't imagine what circumstance could lead to having a request for it show up in your server log.

Re:ok.txt in server logs

[tomhudson]

I noticed it too.

Here's the logs:

access_log

66.35.250.150 - - [20/Jun/2004:00:20:58 -0400] "GET http://slashdot.org/ok.txt HTTP/1.0" 404 1044 "-" "libwww-perl/5.76"
66.35.250.150 - - [22/Jun/2004:22:08:33 -0400] "GET http://developers.slashdot.org/ok.txt
HTTP/1.0" 404 1055 "-" "libwww-perl/5.76" 66.35.250.150 - - [24/Jun/2004:22:43:31 -0400]
"GET http://slashdot.org/ok.txt HTTP/1.0" 404 1044 "-" "libwww-perl/5.76"

error_log
[Sun Jun 20 00:20:58 2004] [error] [client 66.35.250.150] File does not exist

Re:ok.txt in server logs

[Fishstick]

that is strange. Wonder what purpose it serves or if it's a bug? I looked and I don't have any entries like that. How the hell do you send a GET to a remote machine and ask for a absolute address from your own domain?

Makes me curious enough to pull out my perl books and noodle around to see how this could happen.

Re:ok.txt in server logs

[elmegil]

Same deal:

[root@webserver httpd]# grep ok.txt access_log
slashdot.org - - [21/Jun/2004:23:11:08 -0500] "GET http://slashdot.org/ok.txt HTTP/1.0" 404 328 "-" "libwww-perl/5.76"
slashdot.org - - [26/Jun/2004:07:20:58 -0500] "GET http://slashdot.org/ok.txt HTTP/1.0" 404 328 "-" "libwww-perl/5.76"
[root@webserver httpd]# grep ok.txt error_log
[Mon Jun 21 23:11:09 2004] [error] [client 66.35.250.150] File does not exist: /var/www/html/ok.txt
[Sat Jun 26 07:20:59 2004] [error] [client 66.35.250.150] File does not exi

Re:ok.txt in server logs

[tomhudson]

Probably a piece of code left in for tyesting purposes that someone forgot to remark out ... perl ain't the easiest language to debug.

Re:ok.txt in server logs

[phaze3000]

I suspect they're checking for open proxies.

I doubt this is in error.

Re:ok.txt in server logs

[pgregg]

This is a test message - I've placed an ok.txt in the root of the server this post comes from. I suspect it is a "on post" check by /., as you note, to check if the post is coming through an open proxy.

Re:ok.txt in server logs

[tomhudson]

Well, I went to your server and asked for "ok.txt" - you should see the failed request in your logs :-)

Re:ok.txt in server logs

[pgregg]

Aye! However, note the difference between "my webserver" and "my proxy" - they are not the same. I placed the ok.txt on the proxy server since that is the IP that /. will see the post coming from. /.'s request on my proxy:
Remote Addr: 66.35.250.150
REQUEST_URI: http://slashdot.org/ok.txt not found.
SERVER_SOFTWARE: Apache/1.3.26 (Unix) PHP/4.3.3RC4 AuthMySQL/2.20

ok.txt request from you:
Remote Addr: 24.37.84.x
REQUEST_URI: /ok.txt not found.
SERVER_SOFTWARE: Apache/2.0

Cheers :)

Re:ok.txt in server logs

[tomhudson]

Okay, so if I understand, slashdot sends a request for their address/ok.txt to your proxy, and if your proxy doesn't return a 404, it's open ... (relaying requests for the whole world).

Correct me if I'm wrong.

Thanks.

Re:ok.txt in server logs

[pgregg]

Yep, I guess so. Though my last test failed because /. didn't make another ok.txt request (maybe they have a cached response from earlier comments today).

Would be nice for an official /. position on it.

Re:ok.txt in server logs

[pgregg]

I hate replying to my own posts, but this does add new info...

As well as making a "proxy" type request, /. also makes a request to (at least) port 3128 (your regular proxy port):

1088682424.376 1270 111.222.111.222 TCP_MISS/200 18020 GET http://slashdot.org/
comments.pl - DIRECT/66.35.250.150 text/html
(this is my request through the proxy for a specific comment)

Then clicking on "Reply":
1088682424.376 1270 111.222.111.222 TCP_MISS/200 18020 GET http://slashdot.org/
comments.pl?...&op=Reply&.. . -

Re:ok.txt in server logs

[tomhudson]

Thanks - makes sense (sort of) now :-)

Seems to me that open proxies could filter for this sort of thing and stay open without being detected :-(

Re:ok.txt in server logs

[pgregg]

Ok - my bad - I only just looked at the link you posted - very nice work there. I've been doing something similar in a custom 404 in PHP for a while now (which also caught your ok.txt request :)

Does the same as yours and (for me) sends the good requests to the right page. Heres the code: http://www.pgregg.com/projects/php/code/404.phps [pgregg.com]

Re:ok.txt in server logs

[tomhudson]

Nice.

Do I have your permission to add:

'formmail'
'default.ida'
'cltreq.asp/'

to the list (with credit, of course :-)

Also, how would you like the credit to show up? email, author, link 2 your site, etc ...?

Re:ok.txt in server logs

[pgregg]

haha, no permission needed, no credit due.

Re:ok.txt in server logs

[tomhudson]

Yeah, but it's nice to give credit where credit is due. After all, look at all the bullshit^H^H^H^Hcrap Microsoft's sock puppet SCO has ben pulling :-)