Fingerprinting Port 80 Attacks

pg writes "I found an interesting article on www.cgisecurity.com that explains common fingerprints in web server, and web application attacks. It goes to describe how to detect most known, and unknown attacks. This may come in handy when trying to detect another internet worm."

What irony!

[swordboy]

I'm sure that the server that the article is posted on is getting a nice "attack" on port 80 right now!

One thing missed

[13013dobbs]

formmail script exploits. Due to post 25 blocking, spammers are looking for exploitable formmail scripts to send their spam through. I guess the author just wanted to talk about root exploits, but there are other ways to abuse a web server.

Re:One thing missed

[ptomblin]

It's a spammer or a mail bomber looking for form-mail scripts that he can hijack to send his millions of email messages through and make it hard to catch him or block mail from him. They used to rely on finding open mail relays, but except for a few thousand in China and Korea, there aren't that many around any more (and anybody who doesn't want to get spam just blocks everything from sites in China or Korea). So they've altered their tactics.

incomplete document

[Angry+Black+Man]

That article doesn't cover too many port 80 exploits. It does cover the most common attacks, but, if you want some more information here is a more complete guide. There are also a lot of language translations of it at the top if you're not the most fluent in english.

Remember, these documenst are written to help server administrators get an idea of what to look out for, not to solve every single port 80 problem out there.

Re:incomplete document

[mwalker]

I hate to rain on your parade, but I believe that while the linked information is Informative, it is not quite On-Topic. The article in question talks about how to fingerprint different exploit strings launched at web servers at the application layer on port 80. The document you linked discusses how to fingerprint the TCP stacks of varying operating systems based on details gleaned from the top 3 layers of the network stack, including timing details, TCP sequence numbers, etc. Specifically it describes how Fyodor's excellent nmap utility fingerprints an Operating System by TCP stack. You may note that you must be "root" to use this capability because you must sniff the raw TCP stream in order to be able to do this. Fingerprinting port 80 exploit strings just requires you to read the http logs...

While fingerprinting an OS is certainly a useful thing, we shouldn't confuse it with a fingerpinting and profiling effort aimed at categorizing and identifying buffer overrun and similar exploits aimed at web servers. Automated run-time detection of these attempts can lead to faster detection and elimination of threats. In addition, this is a passive measure, whereas nmap is an active measure.

Fingerprinting, CGI & Web Security

[Slipped_Disk]

I think there is some value to this article for new admins - it highlights most of the common things you will see in your log files if someone is poking at your site.

By the same token, most well-written CGIs will block these sorts of attacks (and hopefully if you are writing CGIs you will have enough knowledge (and common sense) to write them in a reasonably secure manner).

At the least it's worth a quick five-minute scan.

Fingerprint Database

[helleman]

I'd love to see a plugin for apache that allowed a central server fingerprint database for new exploits.

Every hour or so, a web server could access a central fingerprint server and download what the latest exploits look like. If a exploit comes in, the server could deny that IP, or drop those accesses without needing to know what the particular exploit is. A self maintaining web server via the web.

What do you think?

Re:Fingerprint Database

[Tenebrious1]

And, unbeknownst to you and thousands of others, the site that maintains the list has been hacked, and you are downloading empty lists that allow every exploit.

It's a good idea, but there's a problem when you create a central point of failure.

Re:Fingerprint Database

[b1t+r0t]

I'd love to see a plugin for apache that allowed a central server fingerprint database for new exploits.

Then we could couple it with my favorite idea for an Apache module: mod_labrea. This way any 'undesirable' HTTP exploit could be given a reverse DoS by keeping the connections alive and stalled for as long as possible.

Garbage requests

[spankfish]

What I personally like to do is create a good set of rules for detecting this kind of garbage requests and storing them in log files which are separate to my normal access_log and error_log... that way I don't have to wade through acres of crap while looking at my real visitors.

Yes, I know I could grep 'em out while viewing, but I think garbage should be kept in a separate place to the real visitors' log entries.

Re:Garbage requests

[Heem]

I think garbage should be kept in a separate place to the real visitors' log entries.

What i do, is setup virtual hosts on apache, with my domain name pointing at the real website, and my numeric IP pointed at just a blank page, and have them log to seperate files. Since MOST attacks come randomly via numeric IP, and MOST real users come in using the domain name.

Looks good and a TFTP/FTP Question.

[Embedded+Geek]

On first glance, this looks like a really nice piece of work, especially given the caveat (paraphrased) "this is not completely inclusive..." for the author.

I do have a question for my fellow slashdotters: Why does the author single out TFTP but not FTP? Does TFTP have inherrent weaknesses that would make it the file transfer protocol of choice for an attacker?

Re:Looks good and a TFTP/FTP Question.

[rodgerd]

TFTP has no authentication in the protocol, so the only ACLs you've got are network level ones from TCP wrappers.

All it requires is a misconfiguration on the TFTP server, and you'll be able to fetch and overwrite any file anywhere on the filesystem; I've seen this happen in the real world from time to time.

Snort

[Frums]

Hmm, Snort has signatures written for all of these =)

Not very interesting

[brettbender]

This paper includes very loose regex heuristics for requests that "might be" attacks. These may be interesting for anomaly detection, when coupled with an engine that records incidence rate (if you see an exponential surge in 'weird' requests, then maybe you're seeing a worm's infection growth curve ).

But the result of deploying these (say, matching for "%20" in a URI) as intrusion detection system rules would be a high false positive rate.

You would be better off looking at arachNIDS for rules that are more specific and less likely to drown you in alerts.

Partial solution for log trash

[wytcld]

Here's how to get part way there (in this case for Nimda). In httpd.conf:

SetEnvIf Request_URI "cmd\.exe" ATTACK
SetEnvIf Request_URI "root\.exe" ATTACK
CustomLog /www/logs/access_log common env=!ATTACK
CustomLog /www/logs/attack_log common env=ATTACK

<Location />
Order Allow,Deny
Allow from all
Deny from env=ATTACK
ErrorDocument 403 "
</Location>

And then optionally for individual bad directories:

<Location /scripts/>
Deny from all
ErrorDocument 403 "
</Location>

At this point requests for cgi.exe are not being logged in access_log but only attack_log (leave out the attack_log line if you don't want even that much). They'll still show in error_log (but with a shorter error statement). The ErrorDocument line instructs Apache to send back nothing and just drop the connection - not as nasty as a tar pit, but at least you don't waste outgoing bandwidth, generally tighter than incoming for a Webserver. Also, Apache doesn't waste any time checking the file system on these requests, since the rules preclude that.

Freshmeat.net is a good resource.

[GISboy]

Among the utilites mentioned like snort, no one has hit on the actual fingerprinting utilities out there like nmap, nbtscan and something like portsentry.

I forget off the top of my head if portsentry has scriptable events, if it does then the possibility of having a "guarddog" type box would be interesting.

For instance, if attack is detected portsentry and it does its thing by putting the offending adderss in /ect/hosts.deny and rereads hosts.deny and passes the address off to nmap or nbtscan to figure out what the box is running.

Nothing beats calling up an ISP and saying "you have a windows/linux/whatever box probing for webservers/mailservers/(insert service) and is attempting to execute a vulnerability of that service".

Nmap and Nbtscan are excellent utilities, but from using them and playing around, nmap is more of a discovery tool, nbtscan is more of a retalitory tool. Or, at the very least they both can be used as such.
I know from personal experience that nbtscan's default setting (normal, aggressive, insane) is enough to knock a box off of a network.
I scanned my cable modem...had to power down to get back up and knocked my boss off even with his knowledge...only a complete power down would bring the box back on the network.

If you can have a "honeypot" why not a "watchdog" box for computer security?
Has the "security/watchdog" been done before?

Re:Securing webservers

[b1t+r0t]

Also, you shouldn't let your webserver send any outgoing packets unless they are originating from port 80.

If you're really paranoid, you also shouldn't let your web server send any outgoing SYN packets from port 80. This will help prevent web-exploit worms like Code Red and Nimda from spreading.

Answers.

[mindstrm]

TFTP is udp based. Yes there are ports.
It runs on udp port 69.

And, you hit the nail on the head.. embedded systems.
tftp is 'trivial' so it can be used for bootstrapping systems. The protocol is as simple as it could possibly be (but not fast nor efficient network wise).
It was designed so it could be implemented with very little code in order to bootstrap systems.

Given that.. it really has no reason to be enabled at all in most modern systems.
The only uses I've used it for recently are:
booting diskless clients
cisco router configuration files
embeded systems work

What to do after attack?

[Tazzy531]

A lot of people here have been asking what people should do after they are attacked. Here is an article/guideline for procedures on recovering after an attack. These steps include information on saving logs, documenting everything that you do after the attack, the type of evidence needed to prosecute, and who to contact (FBI, local police, etc) But as always..the best policy is to secure the system so that attacks don't happen.