OVH Community, your new community space.

Exploit scans from OVH boxes


zemon
20-07-2010, 21:31
If you use iptables you can block these scans with this rule, replace 192.168.100.1 with your server IP

iptables -I INPUT -d 192.168.100.1 -p tcp --dport 80 -m string --to 70 \
--algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Myatu
17-07-2010, 12:56
Quote Originally Posted by Winit
Reporting it to the abuse address is one thing but creating a thread about it on the forum is futile. We've seen countless threads similar to yours. People use weak passwords. They get hacked. People run vulnerable software/operating systems. They get hacked. It's never going to end.
Indeed, it isn't the first time I've seen this, but for someone else it might be.

Forum posts get buried over time, people are at times reluctant or don't know how to use the search option, etc. So I think it's actually a good thing that someone brings it up [again] and brings attention to security issues.

At the same time, someone might have something new to share on how to block this or secure the server when topics like these get re-raised, which might not have been the case last time.

When it comes to security, I'd say: ask away and don't care if it's been asked before. I'd rather have your server secure, to aid safeguarding mine...

Winit
17-07-2010, 12:44
Quote Originally Posted by Rilly
Protecting the box is one step.. i still think people need to report them and get them out of the major datacentres.. If this was one of my servers and I didn't know it was doing it, i would be appreciative that someone reported it.
Reporting it to the abuse address is one thing but creating a thread about it on the forum is futile. We've seen countless threads similar to yours. People use weak passwords. They get hacked. People run vulnerable software/operating systems. They get hacked. It's never going to end.

Rilly
16-07-2010, 21:21
Quote Originally Posted by Winit
Welcome to the Internet. Go read up on protecting a box.
Protecting the box is one step.. i still think people need to report them and get them out of the major datacentres.. If this was one of my servers and I didn't know it was doing it, i would be appreciative that someone reported it.

LawsHosting
16-07-2010, 21:01
Quote Originally Posted by Winit
Welcome to the Internet. Go read up on protecting a box.
By default, you can't even filter the requests at Apache mod_rewrite level because of the at the end...

People can try this way.

Winit
16-07-2010, 20:34
Welcome to the Internet. Go read up on protecting a box.

LawsHosting
16-07-2010, 16:07
http://isc.sans.edu/diary.html?storyid=900
http://www.techsoar.com/w00tw00t-at-...d-apache-logs/


Been going for years

brgroup
16-07-2010, 15:49
Maybe try using Fail2ban or SNORT to drop the connections.

secure26
16-07-2010, 15:21
This action in our logs isnt normal at all, well maybe ovh can explain this to us

zydron
16-07-2010, 15:16
nope, because I see those also in the logs of my homeserver

and I know for sure, that my homeserver isn't connected directly with OVH

secure26
16-07-2010, 15:04
I also get this in my logs, its a tool called dfind i beleive, seems strange that all servers iv ever had from ovh/kimsufi get this, as soon as i setup apache on a new server install i get this in my logs, very strange maybe its something to do with ovh/kimsufi

freshwire
16-07-2010, 02:15
These ones seem to be so common. I just ignore them now.

Rilly
16-07-2010, 01:34
Guess i'm more paranoid.. (was hacked already once)

zydron
16-07-2010, 01:18
well I receive them also on my homeserver

nothing special, just ignore and filter it out the logs.

Rilly
16-07-2010, 00:44
I'm finding lots of entries in my access.log like this on my OVH server..

[15/Jul/2010:16:02:37 +0200] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 349 "-" "-"
From OVH servers... I've submitted to abuse@ovh.net, but curious if others have been seeing the same thing?

This is an exploit scan attempt to gain root access according to my googling

Rilly

note: wasn't just OVH boxes though i found the scans from