Recent Topics

1 Apr 18, 2006 05:20    

Hi all,

I've been reading just about everything in this forum, and its all great, but I have an issue, now I'm not a networking expert so please correct me if I am wrong.

I witnessed this live with TCPVIEW a utility that allows to monitor connections, I turn this on from time to time, This time however I turned it on cause I heard my PC going nuts (disk thrashing). What I saw was multiple connections to my computer, let me define multiple 100 connections in a period of 10 seconds. I have the log file and it looks like this, I wont post it all its much too big.

216.75.18.65 - - [16/Apr/2006:16:49:11 -0400] "CONNECT 168.95.5.49:25 HTTP/1.0" 200 423
216.75.18.65 - - [16/Apr/2006:16:49:11 -0400] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 423
216.75.20.133 - - [16/Apr/2006:16:49:12 -0400] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 423
216.75.20.133 - - [16/Apr/2006:16:49:12 -0400] "CONNECT 168.95.5.27:25 HTTP/1.0" 200 423
216.75.2.225 - - [16/Apr/2006:16:49:12 -0400] "CONNECT 168.95.5.26:25 HTTP/1.0" 200 423
216.75.20.79 - - [16/Apr/2006:16:49:13 -0400] "CONNECT 168.95.5.4:25 HTTP/1.0" 200 423
216.75.20.133 - - [16/Apr/2006:16:49:13 -0400] "CONNECT 168.95.5.46:25 HTTP/1.0" 200 423
66.240.231.145 - - [16/Apr/2006:16:49:13 -0400] "CONNECT 168.95.5.11:25 HTTP/1.0" 200 423
216.75.20.79 - - [16/Apr/2006:16:49:14 -0400] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 423
66.240.231.145 - - [16/Apr/2006:16:49:14 -0400] "CONNECT 168.95.5.47:25 HTTP/1.0" 200 17796
216.75.20.79 - - [16/Apr/2006:16:49:14 -0400] "CONNECT 168.95.5.9:25 HTTP/1.0" 200 17795

now this log snippet goes on for about 5 MB with the ip changing continuously.

Obviously I was forced to shutdown the server and began my defense planning.

Being that I installed a server and b2e only days ago I did not have a disaster recovery plan. (server been up 3 days), wow! go figure.

1- First things first - I enabled mod rewrite thanks to some tips I found on the web. It goes something like this:

#php_flag magic_quotes_gpc off
Options +FollowSymLinks -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^CONNECT
RewriteRule .*$ - [F]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [S=35]
</IfModule>

The (RewriteCond %{REQUEST_METHOD} ^CONNECT) part I found googling, I tested it with telnet and seems to work, cant tell realy until next attack.

I then began analyzing the log fishing for ip's and thanks to apache's support page added the following:

<limit GET>
order allow,Deny
allow from all
##attacker ip's
deny from 216.75.0.0/18
deny from 216.75.2.0/24
deny from 202.43.0.0/16
</Limit>

I did not list all the network id's here the list is much too long, the snippet is just an example. I actually did a whois on every ip then with a CIDR convertor denied the whole range. Just as an F.Y.I 80% of the ip's were in Asia, 20% in the US, Hotmail/Microsoft was part of it and so was Yahoo Asia.

I turned my server back on and fortunately, the attacker/s stopped, but I wont know how good all this realy is until the next time. Can you guys please advise me on what more I can do.

I dont want to give the attackers a forbidden message cause that will still drain my server, and denying a whole network id access just isn't right, some poor bloke in China may actually want to read my stuff, :)

Any help would be greatly appreciated, I know that there are some real guru's in here, I wont mention you by name, but some of the stuff you guys wrote in past posts are realy scarry 8| In an intelligent way.

Thanks in advance

Oh ya!, forgot to mention I did update my antispam database thanks b2e for that, it was the least tiresome part of this whole process.

2 Apr 18, 2006 20:23

looks like they were looking for an open smtp server -- perhaps for a spam mail relay. if youre not using smtp you could just block that port completely with iptables.

if you are using that port (25) then you still prolly want to ditch the apache stuff, and still take care of it with iptables.

im going to move this thread, btw, port 25 connections arent a b2evo issue.

You are running a *NIX server, I hope, and havent done some XAMPP thing.


Form is loading...