[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Web Server Attack?

The proxy server is pointing to port 80. I had thought that
Apache attempted to email the error, and sendmail logged
it to /var/adm/messages. I have a great deal of logging
turned on so I can catch this stuff. I suppose that it's
possible that the attack was on sendmail, but I couldn't
even begin to figure out why. Also, I don't believe that
the request came to us through any normal channel
since a dig on the domain wenxuecity.com doesn't
return anything in our IP address range. So I can only
assume that the request packet was forged and sent to
use for some reason, which is why I believe it was an attack.

here's the output of lsof for sendmail and httpd

# lsof -i -n | grep sendmail
sendmail    757     root    6u  inet 0x61343658       0t0  TCP *:smtp
(LISTEN)
# lsof -i -n | grep httpd
httpd       466     root   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd       469   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd       470   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd       471   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd       472   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd       473   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd      1839   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd      9410   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd     19986   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd     19992   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
httpd     19993   nobody   15u  inet 0x61342358       0t0  TCP *:80
(LISTEN)
#

Everything appears to be running on the right port to me, and I've
double checked the proxy server and it's directing traffic properly,
so I'm sticking to the apache/sendmail interaction story =).

Anyway, that's all I have on it right now.

Jason Burke


Flood Randy Capt AFCA/GCF wrote:

>
> It looks like someone configured their web peoxy to be port 25 (i.e.
> sendmail).
>
> -----Original Message-----
> From: Jason Burke
> To: silug-discuss@silug.org
> Sent: 8/16/01 8:42 AM
> Subject: Web Server Attack?
>
> Greetings All,
>
> Has anyone out there seen this before...
>
> Aug 15 08:33:12 alter3000 sendmail[22080]: NOQUEUE: SYSERR: putoutmsg
> ([192.168.10.11]): error on output channel sending "500 Command
> unrecognized:
> "GET http://www.wenxuecity.com/ HTTP/1.1"": Broken pipe
>
> Aug 15 08:33:12 alter3000 sendmail[22080]: NOQUEUE: SYSERR: putoutmsg
> ([192.168.10.11]): error on output channel sending "500 Command
> unrecognized:
> "Host: www.wenxuecity.com"": Broken pipe
>
> Aug 15 08:33:12 alter3000 sendmail[22080]: NOQUEUE: SYSERR: putoutmsg
> ([192.168.10.11]): error on output channel sending "500 Command
> unrecognized:
> "Accept: */*"": Broken pipe
>
> Aug 15 08:33:12 alter3000 sendmail[22080]: NOQUEUE: SYSERR: putoutmsg
> ([192.168.10.11]): error on output channel sending "500 Command
> unrecognized:
> "Pragma: no-cache"": Broken pipe
>
> Aug 15 08:33:12 alter3000 sendmail[22080]: NOQUEUE: SYSERR: putoutmsg
> ([192.168.10.11]): error on output channel sending "500 Command
> unrecognized:
> "User-Agent: Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"": Broken pipe
>
> Aug 15 08:33:12 alter3000 sendmail[22080]: NOQUEUE: SYSERR: putoutmsg
> ([192.168.10.11]): error on output channel sending "500 Command
> unrecognized:
> """: Broken pipe
>
> It looks like an attack to me, but I can't tell what exploit the
> attacker
> was trying to use. Anyone have any ideas?
>
> Jason Burke
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.