Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
User Journal

Journal tomhudson's Journal: Trapping Hackers 27

I was looking throught the server logs on my machine, and I notice that n00bs are trying to have some fun, so I figured, why not have some fun back?

Rather than just log their crap, why not let them know that they've been caught and also give them the ip addresses of other n00bs, so they can play elsewhere ...

So here is a link to a quick page I threw up this evening so you can download the files and have fun.

Once we've got it running on a bunch of servers, I'll post code to automatically email abuse@your_isp to complain.

Enjoy :-)

This discussion has been archived. No new comments can be posted.

Trapping Hackers

Comments Filter:
  • still totally amazes me that there are _still_ people running infected machines that don't know, don't care.

    Nimbda Worm / Virus: What Are Cmd.Exe, Readme.Eml, Readme.Exe, Root.Exe ? [thesitewizard.com]


    If you are running your site on an Apache server, you might still want to take some action to avoid having to pay a huge bill on bandwidth costs at the end of the month to foot the Nimbda worm attacks.

    If you don't know what I mean, telnet to your web server, and run the following command on your logs:
    grep "cmd\.exe" your-l
    • I figure if enough people set up boxes that can actively track this (instead of just dropping it), and email abuse@whatever, they won't have a choice but to do something ... especially if the notification process is automated.

      Imagine the poor schmuck working at the isp who checks his email and finds 5000 complaints from 500 different servers complaining about 20 different customers. Every day. Until they shut the offenders down.

      To do this successfully, we'd need a decent number of hosts running.

      • true, but I think my point was that these weren't deliberate crack attacks, but unknowingly infected window machines.

        My experience with the ISPs I corresponded with is they would do nothing as this did not violate acceptible use policy.

        In fact, most of the IPs came from the same Comcast subnet that I was on -- customer support asked me if these were 'intrusions' affecting my computer. Honestly, it was more of a curiosity than a real nuisance, and not really affecting me, so I gave up.

        Possibly if lots of
      • researching this a bit again as I turned my Apache server at home back on from its long sleep and started looking at the logs.

        Found this interesting thread:

        http://forums.macosxhints.com/showthread.php?t= 2 23 71

        One poster had a simple, elegant solution:

        <IfModule mod_rewrite.c>
        RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
        RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
        RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
        RedirectMatch permanent (
        • If you read what I posted on geocities, I give credit to the original poster, (I'm using a similar mod_rewrite file).

          However, his solution doesn't work properly because of the way that different platforms handle slashes and backslashes. That's why I use [\|/] instead of \/, which only matches a forward slash.

          Also, redirecting to microcrap isn't the real solution - they'll just ignore it. Sending email to the ISP is more likely to succeed, especially since these attacks are not necessarily all due to

          • woops -- I had skimmed through your page but obviously didn't pick up the reference to macosxhints

            good one, Jeff -- point out something he's already seen :o}

            You've obviously given this far more though than I have, your solution is very interesting. I have to admit though that I still doubt most ISPs would do dick about it.

            Cheers.

            • Maybe if they're approached properly ... they might run it themselves instead of, or in association with, more complicated monitoring solutions that costg $$$ and time.

              ... with their own database of current customer ips to email addresses, they could automatically email their customers and say "hey, clean up your machine and/or your act".

              When I find some time, I'm going to suggestg it to tech support for our offices' ISP - once you get past the first level "techs", a LOT of them are linux guys.

  • DShield? I stuck two Python scripts(get logs from router and send logs to DShield) together and launched it from a shell script in an infinate loop. Run it from an init script on an always on machine.
    My web server server checks the log every hour and sends new entries off to DShield by E-Mail. It will crash if the local network is down, so it will relaunch and try again(my router is directly connected to the server, so this is rare).
    Every night I get a log of the blocked packets that were received by DS
  • Looks like an interesting script, I'll see about implementing it myself.

    My question is, why does my webserver (this is a personal site at the end of my DSL connection) keep getting requests for "http://slashdot.org/ok.txt" and "http://developers.slashdot.org/ok.txt" ?? Anyone have any clues?

    • That's really strange, never heard of anything like that.

      Care to post an example? I'm curious to see how this came in. ok.txt is apparently an actual document served by slashdot.org, but I can't imagine what circumstance could lead to having a request for it show up in your server log.
      • I noticed it too.

        Here's the logs:

        access_log

        66.35.250.150 - - [20/Jun/2004:00:20:58 -0400] "GET http://slashdot.org/ok.txt HTTP/1.0" 404 1044 "-" "libwww-perl/5.76"
        66.35.250.150 - - [22/Jun/2004:22:08:33 -0400] "GET http://developers.slashdot.org/ok.txt
        HTTP/1.0" 404 1055 "-" "libwww-perl/5.76" 66.35.250.150 - - [24/Jun/2004:22:43:31 -0400]
        "GET http://slashdot.org/ok.txt HTTP/1.0" 404 1044 "-" "libwww-perl/5.76"

        error_log
        [Sun Jun 20 00:20:58 2004] [error] [client 66.35.250.150] File does not exist

        • that is strange. Wonder what purpose it serves or if it's a bug? I looked and I don't have any entries like that. How the hell do you send a GET to a remote machine and ask for a absolute address from your own domain?

          Makes me curious enough to pull out my perl books and noodle around to see how this could happen.

        • Same deal:

          [root@webserver httpd]# grep ok.txt access_log
          slashdot.org - - [21/Jun/2004:23:11:08 -0500] "GET http://slashdot.org/ok.txt HTTP/1.0" 404 328 "-" "libwww-perl/5.76"
          slashdot.org - - [26/Jun/2004:07:20:58 -0500] "GET http://slashdot.org/ok.txt HTTP/1.0" 404 328 "-" "libwww-perl/5.76"
          [root@webserver httpd]# grep ok.txt error_log
          [Mon Jun 21 23:11:09 2004] [error] [client 66.35.250.150] File does not exist: /var/www/html/ok.txt
          [Sat Jun 26 07:20:59 2004] [error] [client 66.35.250.150] File does not exi

          • Probably a piece of code left in for tyesting purposes that someone forgot to remark out ... perl ain't the easiest language to debug.
            • I suspect they're checking for open proxies.

              I doubt this is in error.

              • This is a test message - I've placed an ok.txt in the root of the server this post comes from. I suspect it is a "on post" check by /., as you note, to check if the post is coming through an open proxy.
                • Well, I went to your server and asked for "ok.txt" - you should see the failed request in your logs :-)
                  • Aye! However, note the difference between "my webserver" and "my proxy" - they are not the same. I placed the ok.txt on the proxy server since that is the IP that /. will see the post coming from. /.'s request on my proxy:
                    Remote Addr: 66.35.250.150
                    REQUEST_URI: http://slashdot.org/ok.txt not found.
                    SERVER_SOFTWARE: Apache/1.3.26 (Unix) PHP/4.3.3RC4 AuthMySQL/2.20

                    ok.txt request from you:
                    Remote Addr: 24.37.84.x
                    REQUEST_URI: /ok.txt not found.
                    SERVER_SOFTWARE: Apache/2.0

                    Cheers :)
                    • Okay, so if I understand, slashdot sends a request for their address/ok.txt to your proxy, and if your proxy doesn't return a 404, it's open ... (relaying requests for the whole world).

                      Correct me if I'm wrong.

                      Thanks.

                    • Yep, I guess so. Though my last test failed because /. didn't make another ok.txt request (maybe they have a cached response from earlier comments today).

                      Would be nice for an official /. position on it.
                    • I hate replying to my own posts, but this does add new info...

                      As well as making a "proxy" type request, /. also makes a request to (at least) port 3128 (your regular proxy port):

                      1088682424.376 1270 111.222.111.222 TCP_MISS/200 18020 GET http://slashdot.org/
                      comments.pl - DIRECT/66.35.250.150 text/html
                      (this is my request through the proxy for a specific comment)

                      Then clicking on "Reply":
                      1088682424.376 1270 111.222.111.222 TCP_MISS/200 18020 GET http://slashdot.org/
                      comments.pl?...&op=Reply&.. . -
                    • Thanks - makes sense (sort of) now :-)

                      Seems to me that open proxies could filter for this sort of thing and stay open without being detected :-(

                    • Ok - my bad - I only just looked at the link you posted - very nice work there. I've been doing something similar in a custom 404 in PHP for a while now (which also caught your ok.txt request :)

                      Does the same as yours and (for me) sends the good requests to the right page. Heres the code: http://www.pgregg.com/projects/php/code/404.phps [pgregg.com]

                    • Nice.

                      Do I have your permission to add:

                      'formmail'
                      'default.ida'
                      'cltreq.asp/'
                      to the list (with credit, of course :-)

                      Also, how would you like the credit to show up? email, author, link 2 your site, etc ...?

                    • haha, no permission needed, no credit due.
                    • Yeah, but it's nice to give credit where credit is due. After all, look at all the bullshit^H^H^H^Hcrap Microsoft's sock puppet SCO has ben pulling :-)

Never trust a computer you can't repair yourself.

Working...