• Apache and Port 80 hits?

    From Mike Luther@1:117/3001 to All on Thursday, October 25, 2001 03:02:26
    This is another example of what I think ought to be in this echo.

    If it is not I'll gladly post it elsewhere..

    OK, so I have Apache up an running for test purposes against an available Port 80 system. It's up for test on my temporarily chosen hardware box for my fixed
    address how-to-do-all-this learning.

    But gee. Courtesy of WN32/Nimda.A, one of the ports I've had to consider dumping is Port 80. On this cable broadband system, I'm now being dosed with an more or less minimum of a Port 80 hammer probe every single minute of the day!

    During the research on the successful NETBIOS over TCP/IP that we still do not really know was that or pure NETBIOS and just Port 137/138 shifted to Port 139 and Nimda.A dumping tons of files on me, I also took a look at Port 80 scans, as well as Port 25, 26, and a bunch of others.

    I set up IJFIRE to drop these probe packets and log them so I could analyze the
    whambo profile. In my case, a minimum of about 130 discrete systems octet addresses are whamming me a day. During new variant assaults, this number rises to about 4000 hits per day from over 250 different systems per my research here. My research indicates also that approximately 95% of the current attack profile is coming from my own IP providers WAN, from different cities on it all over the USA and these are allegedly Port 80 probes. Interesting.

    I can take rather large samples of the octets from the logs and look back to them with HOST. They will be reported back as not resolvable to a name. To me that suggests that these might be spoofed addresses. Some of them do come back
    as nameable .. to the various city-nets for this IP, which is the COX system, BTW. As earlier noted, a few come from outside COX. In both cases of the Port
    139 NETBIOS infection runs, the packets were IPTRACED and IPFORMAT demonstrated
    to have come from a box .. in my own city-net ., for the COX system, However I
    never got to catch the perp at the onset of the infection with IPTRACE to get us a look at the magic cookie and so on. Tooling up to try and snare that with a spare box is both a thought to Lee Aroner's honeypot name for it .. or .. maybe to the box that hosts to new Apache test server if I dare. I dunno yet.

    But more focally here for this echo ..

    What should be my OS2INST game plan for using APACHE, for a start? Consider that obviously, Port 80 has to be opened up and incoming packets cannot be dumped if I ever want to use an HTML server on my fixed address?

    Can someone begin the teaching process here on how to best use OS/2 for an INTERNET SERVER operation and minimize the risk from this new round of HTML server attacks? I really do not want my simple humble web page to receive a graceful JAVA snip appendage in it that goes off trying to do something it can't do in OS/2, but doesn't know that anyway!

    How do we best become Web Empresario's all here?

    And after we do that with APACHE, how does all this play out with the formal IBM offerings for same? I have a DEVCON subscription. Surely goodness and mercy will follow all thise HUNDREDS of CD-ROM disks all the rest of my life somehow, no?

    ;)

    Thank you!


    Sleep well; OS/2's still awake! ;)

    Mike @ 1:117/3001



    --- Maximus/2 3.01
    * Origin: Ziplog Public Port (1:117/3001)
  • From Mike Luther@1:117/3001 to Jonathan de Boyne Pollard on Sunday, October 28, 2001 01:55:34
    I also learned this, Johnathan,

    JdBP> They aren't necessarily spoofed. Many companies
    JdBP> simply don't bother setting up the IP address to
    JdBP> name mappings in the DNS. Others don't set them up
    JdBP> for privacy reasons.

    from the tracerte I did trying to figure out why it was taking me two minutes to load www.debka.com here. A tech and I were trying to figure out how in the blazes my NS 4.61 was taking down the whole neighborhood router to as much as four (4) second ping times when all I did was log on to it!

    It whams my CPU up to the peg, and apparently loads the neighborhood cable router up to the hilt at several points during the load of the site. Yet there
    is no traffic passing across the modem when this takes place.

    We both have a big question about this.

    One of the hops in the tracerte on it has a pure numeric octet address that will not translate to a name just after mae-w(est) becomes involved in the relationship!

    I'll take this question though to a new thread..


    Sleep well; OS/2's still awake! ;)

    Mike @ 1:117/3001

    --- Maximus/2 3.01
    * Origin: Ziplog Public Port (1:117/3001)