1 |
Yesterday as a follow on, I unmerged the Gentoo Squid (2.5.11 Stable) and |
2 |
installed Squid-3.0-PRE3-20051030 direct from Squid-cache.org. After that |
3 |
my only trigger was a common false positive but no random web attacks as |
4 |
produced by the Gentoo version. |
5 |
|
6 |
I did record attemps from other Gentoo platforms (i.e. |
7 |
raptor.gentoo.osuosl.org) that had the same attack signatures probing my |
8 |
server. |
9 |
|
10 |
I did save one alert log from the Gentoo Squid build and here are some clips: |
11 |
---------------------------- |
12 |
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80 |
13 |
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF |
14 |
***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32 |
15 |
TCP Options (3) => NOP NOP TS: 287314455 7254994 |
16 |
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1376][Xref => |
17 |
http:/ |
18 |
/www.securityfocus.com/bid/2252] |
19 |
|
20 |
[**] [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [**] |
21 |
[Classification: access to a potentially vulnerable web application] |
22 |
[Priority: |
23 |
2] |
24 |
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80 |
25 |
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF |
26 |
***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32 |
27 |
TCP Options (3) => NOP NOP TS: 287314455 7254994 |
28 |
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11032] |
29 |
|
30 |
[**] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [**] |
31 |
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] |
32 |
11/03-13:36:59.036747 192.168.1.12:36106 -> 130.191.143.18:443 |
33 |
TCP TTL:64 TOS:0x0 ID:44644 IpLen:20 DgmLen:489 DF |
34 |
***AP*** Seq: 0xBBD22A6D Ack: 0xC6E36C0C Win: 0x2118 TcpLen: 32 |
35 |
TCP Options (3) => NOP NOP TS: 287348635 430347512 |
36 |
[Xref => |
37 |
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref => |
38 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref => |
39 |
http://www.securityfocus.com/bid/10116] |
40 |
|
41 |
[**] [1:972:8] WEB-IIS %2E-asp access [**] |
42 |
[Classification: access to a potentially vulnerable web application] |
43 |
[Priority: 2] |
44 |
11/03-13:38:00.152634 192.168.1.12:36118 -> 63.93.242.137:80 |
45 |
TCP TTL:64 TOS:0x0 ID:35374 IpLen:20 DgmLen:829 DF |
46 |
***AP*** Seq: 0xC0300C22 Ack: 0x156D63CD Win: 0x16D0 TcpLen: 20 |
47 |
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0253][Xref => |
48 |
http://www.securityfocus.com/bid/1814] |
49 |
|
50 |
[**] [1:1564:6] WEB-MISC login.htm access [**] |
51 |
[Classification: access to a potentially vulnerable web application] |
52 |
[Priority: 2] |
53 |
11/03-18:02:09.890960 192.168.1.12:32790 -> 209.202.161.132:80 |
54 |
TCP TTL:64 TOS:0x0 ID:16648 IpLen:20 DgmLen:568 DF |
55 |
***AP*** Seq: 0xB256AB50 Ack: 0x16654B17 Win: 0x16D0 TcpLen: 20 |
56 |
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1533][Xref => |
57 |
http://www.securityfocus.com/bid/665] |
58 |
|
59 |
[**] [1:895:7] WEB-CGI redirect access [**] |
60 |
[Classification: Attempted Information Leak] [Priority: 2] |
61 |
11/03-18:02:19.371472 192.168.1.12:32796 -> 207.46.225.221:80 |
62 |
TCP TTL:64 TOS:0x0 ID:40290 IpLen:20 DgmLen:525 DF |
63 |
***AP*** Seq: 0xB3019639 Ack: 0x80329EEE Win: 0x6C0 TcpLen: 32 |
64 |
TCP Options (3) => NOP NOP TS: 4294840274 7096916 |
65 |
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0382][Xref => |
66 |
http://www.securityfocus.com/bid/1179] |
67 |
|
68 |
[**] [1:1333:6] WEB-ATTACKS id command attempt [**] |
69 |
[Classification: Web Application Attack] [Priority: 1] |
70 |
11/03-21:37:22.144594 192.168.1.12:33666 -> 63.208.226.65:80 |
71 |
TCP TTL:64 TOS:0x0 ID:61249 IpLen:20 DgmLen:1492 DF |
72 |
***A**** Seq: 0xDEBFB8B8 Ack: 0xDC15FDA0 Win: 0x16D0 TcpLen: 20 |
73 |
|
74 |
[**] [1:1112:6] WEB-MISC http directory traversal [**] |
75 |
[Classification: Attempted Information Leak] [Priority: 2] |
76 |
11/03-21:43:43.650398 192.168.1.12:33728 -> 63.208.226.65:80 |
77 |
TCP TTL:64 TOS:0x0 ID:26729 IpLen:20 DgmLen:1492 DF |
78 |
***A**** Seq: 0xF4A1B938 Ack: 0xE9F492C2 Win: 0x16D0 TcpLen: 20 |
79 |
[Xref => http://www.whitehats.com/info/IDS298] |
80 |
|
81 |
[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**] |
82 |
[Classification: Web Application Attack] [Priority: 1] |
83 |
11/03-21:56:10.945244 192.168.1.12:33991 -> 208.254.3.160:80 |
84 |
TCP TTL:64 TOS:0x0 ID:56127 IpLen:20 DgmLen:679 DF |
85 |
***AP*** Seq: 0x2581E951 Ack: 0xF243E594 Win: 0x5B4 TcpLen: 32 |
86 |
TCP Options (3) => NOP NOP TS: 13906685 185043937 |
87 |
[Xref => http://www.securityfocus.com/bid/2527] |
88 |
|
89 |
[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**] |
90 |
[Classification: Web Application Attack] [Priority: 1] |
91 |
11/03-21:56:12.087098 192.168.1.12:33992 -> 66.179.5.89:80 |
92 |
TCP TTL:64 TOS:0x0 ID:14281 IpLen:20 DgmLen:980 DF |
93 |
***AP*** Seq: 0x25AB00D1 Ack: 0x8BAB936F Win: 0x16D0 TcpLen: 20 |
94 |
[Xref => http://www.securityfocus.com/bid/2527] |
95 |
|
96 |
There has been much more but that's is just some snips of the one alert |
97 |
log that I did save. So far with the new Squid cache I do not get attack |
98 |
signature triggers as with the Gentoo release. |
99 |
|
100 |
I was trying Snortsam to control my iptables and have not really gotten it |
101 |
to work. I will give the flexresp and oinkmaster suite a look. Thank you. |
102 |
|
103 |
Best wishes, JohnF |
104 |
|
105 |
|
106 |
|
107 |
|
108 |
|
109 |
-- |
110 |
gentoo-security@g.o mailing list |