Logwatch contents

How are you using your Bubba Two or Excito B3? Got pictures? Share here!
Post Reply
redw0001
Posts: 96
Joined: 07 Sep 2009, 14:03

Logwatch contents

Post by redw0001 » 02 Mar 2016, 05:58

Normally my logwatch contents sent to me from my B3 each day are boring. This I think is a good place to be. However, day yesterday the following was part of the contents. Before shooting off down a dead end I'd be interested in the views of anyone who understands Apache.

To me it looks like somebody from 137.226.113.7 as been trying to poke around trying myadmin and phpMyAdmin. whois says the owner is Andreas Schreiber at RWTH Aachen University.

I had port forwarding set up on my router for http and https so I could access information on the B3 remotely. I've closed them for now. Makes me think I should put equivalent of logwatch on my second B3 which has been running Arch.

--------------------- httpd Begin ------------------------


A total of 1 sites probed the server
137.226.113.7

Requests with error response codes
400 Bad Request
/: 3 Time(s)
404 Not Found
//MyAdmin/scripts/setup.php: 1 Time(s)
//cgi-bin/php-cgi: 1 Time(s)
//cgi-bin/php.cgi: 1 Time(s)
//cgi-bin/php4: 1 Time(s)
//myadmin/scripts/setup.php: 1 Time(s)
//phpMyAdmin/scripts/setup.php: 1 Time(s)
//phpmyadmin/scripts/setup.php: 1 Time(s)
//pma/scripts/setup.php: 1 Time(s)
/index.php: 1 Time(s)
/muieblackcat: 1 Time(s)
/myadmin/scripts/setup.php: 1 Time(s)
/phpMyAdmin/scripts/setup.php: 1 Time(s)
/pma/scripts/setup.php: 1 Time(s)
http://www.baidu.com/robots.txt: 1 Time(s)
405 Method Not Allowed
/: 21 Time(s)
/.well-known/carddav: 21 Time(s)
/principals/: 21 Time(s)
408 Request Timeout
null: 1 Time(s)
500 Internal Server Error
//cgi-bin/php: 1 Time(s)
//cgi-bin/php5: 1 Time(s)

---------------------- httpd End -------------------------

Gordon
Posts: 1339
Joined: 10 Aug 2011, 03:18

Re: Logwatch contents

Post by Gordon » 02 Mar 2016, 11:26


redw0001
Posts: 96
Joined: 07 Sep 2009, 14:03

Re: Logwatch contents

Post by redw0001 » 03 Mar 2016, 05:46

Hm, read quite a lot of the 14 pages of that, including posts from myself. I see no untoward CPU usage, and not cron entries as described. I removed the port forwarding on my router which I assumed would block the incoming messages and yet there were more messages overnight from three or four new web addresses.

I obviously need to do more reading to understand what is happening here and how to stop it.

Gordon
Posts: 1339
Joined: 10 Aug 2011, 03:18

Re: Logwatch contents

Post by Gordon » 03 Mar 2016, 11:44

They are bots, running on computers of non-aware users. Seeing them come from multiple addresses now may simply be a coincidence, or the first one that hit you flagged your IP as interesting. As long as your site returns 404 you will be fine, but the interesting part for them may be the 500 messages returned on their attempts to target php-cgi. Obviously the 500 return means that the exploit from the linked thread did not work, but it does give away that you do have php and there may be (CMS) pages with well known pass phrase dialogues that allow them to run password guessing algorithms.

I understand this happened on a B3 that is running the original Bubba OS. First things first: get rid of that cgi! It serves no purpose since you will be running php through apache mod_php and the Bubba UI is a separate php cli (command line interface) instance running as a service (fastcgi). Debian is truly bad in this regard, installing all available access methods without you being able to control it. You might want to check your Arch machine as well - Arch may be doing the same or you may have enabled cgi at install time thinking you would need it.

Code: Select all

rm -f /usr/lib/cgi-bin/php*
Check your apache access logs. Did they find any login pages? If they did you will no other choice but to delete that page from its current location. The page's location will have been transferred to many other bots hitting it directly to find a working password. A quick solution is to transfer the site to a (different) named vhost. Notice the "/muieblackcat" request. Another known one is "/w00tw00t". This is how the discovery bots detect you are running a web server. You can use this in your firewall to do a string check on packages being sent to port 80 and blacklist them instantly by using xtables recent target. Or if you're feeling adventurous redirect them to a different port to be able to log what the bots are doing. Or even to a honeypot.

redw0001
Posts: 96
Joined: 07 Sep 2009, 14:03

Re: Logwatch contents

Post by redw0001 » 03 Mar 2016, 12:32

I ran the recommended cmd to get rid of php*. Checked what was there first then ran it. Deleted half a dozen things. The only thing I even half-recognise here is nmap, which I think is a port scanner (amongst other things). Can you point me to where I can find an explanation of the message structure so I cant try to understand the messages? Many thanks for the help.

Looked in the logs from 'admin', specifically at the Apache2 access.log and other than 192.168.1.xyz which are my machines at home I can see some of the following:
202.168.90.27 - - [03/Mar/2016:00:53:12 +0000] "HEAD http://91.125.186.71:80/phppma/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:12 +0000] "HEAD http://91.125.186.71:80/pma/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:12 +0000] "HEAD http://91.125.186.71:80/pma2011/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:13 +0000] "HEAD http://91.125.186.71:80/pma2012/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:13 +0000] "HEAD http://91.125.186.71:80/pma2013/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:13 +0000] "HEAD http://91.125.186.71:80/pma2014/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:13 +0000] "HEAD http://91.125.186.71:80/pma2015/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:13 +0000] "HEAD http://91.125.186.71:80/program/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:14 +0000] "HEAD http://91.125.186.71:80/shopdb/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:14 +0000] "HEAD http://91.125.186.71:80/sql/myadmin/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:14 +0000] "HEAD http://91.125.186.71:80/sql/php-myadmin/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:14 +0000] "HEAD http://91.125.186.71:80/sql/phpMyAdmin/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:15 +0000] "HEAD http://91.125.186.71:80/sql/phpMyAdmin2/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:15 +0000] "HEAD http://91.125.186.71:80/sql/phpMyAdmin3/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:15 +0000] "HEAD http://91.125.186.71:80/sql/phpMyAdmin4/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:15 +0000] "HEAD http://91.125.186.71:80/sql/phpmanager/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:15 +0000] "HEAD http://91.125.186.71:80/sql/phpmy-admin/ HTTP/1.1" 404 219 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:16 +0000] "HEAD http://91.125.186.71:80/sql/phpmyadmin2/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:16 +0000] "HEAD http://91.125.186.71:80/sql/phpmyadmin3/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:16 +0000] "HEAD http://91.125.186.71:80/sql/phpmyadmin4/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:16 +0000] "HEAD http://91.125.186.71:80/sql/sql-admin/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:16 +0000] "HEAD http://91.125.186.71:80/sql/sql/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:17 +0000] "HEAD http://91.125.186.71:80/sql/sqladmin/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:17 +0000] "HEAD http://91.125.186.71:80/sql/sqlweb/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:17 +0000] "HEAD http://91.125.186.71:80/sql/webadmin/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:17 +0000] "HEAD http://91.125.186.71:80/sql/webdb/ HTTP/1.1" 404 218 "-" "Mozilla/5.0 Jorgee"
202.168.90.27 - - [03/Mar/2016:00:53:18 +0000] "HEAD http://91.125.186.71:80/sql/websql/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
36.47.178.107 - - [03/Mar/2016:01:16:19 +0000] "GET / HTTP/1.0" 200 3455 "-" "-"
36.47.178.107 - - [03/Mar/2016:01:16:19 +0000] "GET /IPMIdevicedesc.xml HTTP/1.1" 404 536 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36"
36.47.178.107 - - [03/Mar/2016:01:16:19 +0000] "GET /PSBlock HTTP/1.1" 404 525 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36"
36.47.178.107 - - [03/Mar/2016:01:16:19 +0000] "GET /stauts HTTP/1.1" 404 524 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36"
36.47.178.107 - - [03/Mar/2016:01:16:19 +0000] "GET /status HTTP/1.1" 404 524 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36"
36.47.178.107 - - [03/Mar/2016:01:16:19 +0000] "GET / HTTP/1.1" 200 3455 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
36.47.178.107 - - [03/Mar/2016:01:16:19 +0000] "GET / HTTP/1.0" 200 3455 "-" "-"
36.47.178.107 - - [03/Mar/2016:01:16:19 +0000] "GET /stats HTTP/1.1" 404 523 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
213.202.212.166 - - [03/Mar/2016:06:47:34 +0000] "HEAD /robots.txt HTTP/1.0" 404 182 "-" "-"
186.125.206.110 - - [03/Mar/2016:09:08:37 +0000] "HEAD / HTTP/1.0" 200 280 "-" "-"
74.82.47.4 - - [03/Mar/2016:12:26:13 +0000] "GET / HTTP/1.1" 200 4259 "-" "-"
74.82.47.4 - - [03/Mar/2016:12:33:28 +0000] "GET / HTTP/1.1" 200 4299 "-" "-"
180.97.106.161 - - [03/Mar/2016:16:41:32 +0000] "GET /" 400 550 "-" "-"
91.196.50.33 - - [03/Mar/2016:16:59:10 +0000] "GET http://testp5.mielno.lubin.pl/testproxy.php HTTP/1.1" 404 454 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"

Gordon
Posts: 1339
Joined: 10 Aug 2011, 03:18

Re: Logwatch contents

Post by Gordon » 03 Mar 2016, 13:48

Those are quite recent entries. You should probably zcat the older ones as well. There's no message structure in the discovery requests - they are simply trying different pages and logging everything that returns something other than 404. The next attack that will specifically target that found page will usually come from a different IP (or multiple IPs). These requests will contain POST values for username and password as used by the CMS system in question. Again: once they find a username/password combination it will be logged. It may take several days then for the ugly stuff to start.

Exception: the requests to php cgi. These contain a data part that is in fact executable php. If the php code is allowed to execute the next request contains a larger piece of php code that will download and execute more code, at which point your machine will be a bot too.

redw0001
Posts: 96
Joined: 07 Sep 2009, 14:03

Re: Logwatch contents

Post by redw0001 » 10 Mar 2016, 14:32

Progress is a 'bit delayed' as I decided to start by tackling my router. After digging around in the router log I discovered some traffic was hitting port 80 on my B3. Strange as I did not have port forwarding set up for this port. Then I remembered when I got the new router (Netgear D6400) last year I did a firmware upgrade to a new firmware level that was subsequently found to be problematic (ADSL line drops). At that time I'd put in port forwarding and the definitions had just disappeared (on hindsight a second problem with the leve). Subsequently, I re-enstated the previous version.

A factory reset a couple of days ago and all new definitions gives me a clean install now. The only port open for the B3 is 143 for IMAP access. So far no new messages, but that could be because my ISP has allocated a new IP address. ;-)

Once it is stable for a few days I'll start putting a firewall on the B3 then restart Apache.

In the meantime I've checked my Arch install on another machine and that didnt have the cgi that was recommended for deletion. I'm also trying out UFW on that machine as I'm not sure what is the best 'simple' firewall to use. Has anyone managed a firewall via webmin or any recommendations for a gui firewall manager.

Post Reply