Fingerprinting Port 80 Attacks

pg writes "I found an interesting article on www.cgisecurity.com that explains common fingerprints in web server, and web application attacks. It goes to describe how to detect most known, and unknown attacks. This may come in handy when trying to detect another internet worm."

It makes me angry

[gmplague]

It makes me angry that everyone decides to beef up security and write analytical articles about how to maintain security AFTER THE FACT. The problem is, that although this seems like a good idea now, fingerprinting probably won't help for the next series of attacks, because they will be different in nature.

Re:It makes me angry

[13013dobbs]

They will be different in nature, but will use the same commands to gain root access to the box. Read the part where he describes the common commands an attacker may execute, or common files the attacker will request. How the files or commands are accesses may change, but the files and commands will (for the most part) stay the same.

Fingerprinting, CGI & Web Security

[Slipped_Disk]

I think there is some value to this article for new admins - it highlights most of the common things you will see in your log files if someone is poking at your site.

By the same token, most well-written CGIs will block these sorts of attacks (and hopefully if you are writing CGIs you will have enough knowledge (and common sense) to write them in a reasonably secure manner).

At the least it's worth a quick five-minute scan.

Fingerprint Database

[helleman]

I'd love to see a plugin for apache that allowed a central server fingerprint database for new exploits.

Every hour or so, a web server could access a central fingerprint server and download what the latest exploits look like. If a exploit comes in, the server could deny that IP, or drop those accesses without needing to know what the particular exploit is. A self maintaining web server via the web.

What do you think?

Re:Fingerprint Database

[Tenebrious1]

And, unbeknownst to you and thousands of others, the site that maintains the list has been hacked, and you are downloading empty lists that allow every exploit.

It's a good idea, but there's a problem when you create a central point of failure.

Re:Fingerprint Database

[Slipped_Disk]

This is a really cool idea, there would need to be some way of verifying the information the plugin was getting though, or someone could just feed your server an "attack" fingerprint that matches a normal hit and you would wind up denying legitemate users. This idea sounds a lot like the ORBS/RBL for sendmail.

Looks good and a TFTP/FTP Question.

[Embedded+Geek]

On first glance, this looks like a really nice piece of work, especially given the caveat (paraphrased) "this is not completely inclusive..." for the author.

I do have a question for my fellow slashdotters: Why does the author single out TFTP but not FTP? Does TFTP have inherrent weaknesses that would make it the file transfer protocol of choice for an attacker?

I did a worm blocker

[certsoft]

Must of have been a week or two ago. I was trying to debug some LAN activity that only occurs at midnight on a custom system here. I have a log of TCP activity but it was filled with worm activity by the time I looked at it in the mornings.

Based on the activity I detected I set the software up to look for a GET using any of the following substrings: SCRIPTS MSADC WINNT ADMIN.DLL _VTI_BIN and _MEM_BIN. If found then the requestor's IP address got added to a list. Anytime the TCP stack saw a SYN request from one of these addresses it just ignored it instead of starting the handshake. So far it has blocked 75 IP addresses and my log files are now pretty pristine.

Freshmeat.net is a good resource.

[GISboy]

Among the utilites mentioned like snort, no one has hit on the actual fingerprinting utilities out there like nmap, nbtscan and something like portsentry.

I forget off the top of my head if portsentry has scriptable events, if it does then the possibility of having a "guarddog" type box would be interesting.

For instance, if attack is detected portsentry and it does its thing by putting the offending adderss in /ect/hosts.deny and rereads hosts.deny and passes the address off to nmap or nbtscan to figure out what the box is running.

Nothing beats calling up an ISP and saying "you have a windows/linux/whatever box probing for webservers/mailservers/(insert service) and is attempting to execute a vulnerability of that service".

Nmap and Nbtscan are excellent utilities, but from using them and playing around, nmap is more of a discovery tool, nbtscan is more of a retalitory tool. Or, at the very least they both can be used as such.
I know from personal experience that nbtscan's default setting (normal, aggressive, insane) is enough to knock a box off of a network.
I scanned my cable modem...had to power down to get back up and knocked my boss off even with his knowledge...only a complete power down would bring the box back on the network.

If you can have a "honeypot" why not a "watchdog" box for computer security?
Has the "security/watchdog" been done before?

Nice, but...

The article does not take IIS into account, that shows because Unicode is missing, the article also miss another point: Error codes!

Say user Foo runs cgi-scanner X against one system, without proper fingerprinting (as most lame script kiddies dont do), most scans will trigger an error because apache doesn't come with a /scripts/ directory and IIS wouldn't know what to do with an apache exploit. This will create tonnes of errors, making lame so called "cgi-scans" easy to spot.

Apart from that, most network/security people should read the article; this is basic intrusion detection skills that should be mastered by you people, that include those apes (and that's an insult to primates!) who have those lame ass certifications.