#74737 - 25/02/2002 10:50
HTTP Probe locks up Empeg
|
addict
Registered: 14/01/2002
Posts: 443
Loc: Raleigh, NC
|
Just a warning, don't leave your empeg exposed to the world on port 80. I saw several requests in the serial output for cmd.exe and other programs that were aparently exploits for IIS (big surprise). I saw a couple control characters in the path that was requested, which were incrementing, and eventually locked the empeg up.
I normally don't have anything up on port 80 as I've got cable modem service, but was showing the new XML stuff to a friend and noticed this happening. I've got a router/firewall, so I normally never notice any traffic..
Unforutnately, by the time I got a packet sniffer working, they had aparently moved on, so I couldn't get the exact request. The path requested was something like 'path\path\...<control character>...\system32\cmd.exe' or something.. sorry for not having any more details..
|
Top
|
|
|
|
#74738 - 25/02/2002 11:01
Re: HTTP Probe locks up Empeg
[Re: Yang]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Probably overflowed a buffer or something in khttpd.
The code checks most buffer sizes, but definitely has shortcuts here and there which could be exploited (and which I'm not really going to worry about here).
Cheers
|
Top
|
|
|
|
#74739 - 25/02/2002 11:18
Re: HTTP Probe locks up Empeg
[Re: Yang]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
If you ever run the product "Black Ice Defender" on any publicly-exposed PC, you will be AMAZED at how frequently there are attacks against IP addresses. IP exploit attacks are a constant, unyeilding barrage against anything that responds to pings that is exposed on the public internet.
For those who haven't tried Black Ice Defender, I highly recommend checking it out. It's a very cool product. It will identify anyone attempting to attack you, identify the type of attack, block the attack, and link you to a detailed description of the type of attack.
|
Top
|
|
|
|
#74740 - 25/02/2002 11:20
Re: HTTP Probe locks up Empeg
[Re: mlord]
|
member
Registered: 19/12/2001
Posts: 108
|
Thing is, those requests were probably made from some machine where the operator doesn't even know they were being made. Once a machine is infected with certain of those viri, they become zombies and look for other machines to infect. I get requests for cmd.exe on my cable modem web server all the time. It's fruitless, as I've long ago patched IIS, but they keep coming.
Chris
|
Top
|
|
|
|
#74741 - 25/02/2002 11:28
Re: HTTP Probe locks up Empeg
[Re: crocklobster]
|
carpal tunnel
Registered: 23/08/2000
Posts: 3826
Loc: SLC, UT, USA
|
My Red Hat web server (logjamming.com) gets nailed CONSTANTLY with attempted IIS exploits like what you guys are describing. Seems to be some left over code red variants that infected unknowing peoples computers and they are used as bounce points for exploit attacks. We've tracked the attacking hosts down at least 5 times to find it was some guy at a university or business who had no idea his machine was infected. Incredibly annoying.
|
Top
|
|
|
|
#74742 - 25/02/2002 11:29
Re: HTTP Probe locks up Empeg
[Re: crocklobster]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Right, I forgot to mention that. Most of the attacks are the result of web-aware viruses which attempt to auto-exploit known bugs in web server software. We're still seeing Nimda and Code Red attempts against our server on a constant basis. This means that each of those attacking sites is infected with the virus and the machine operator doesn't know they are infected.
|
Top
|
|
|
|
#74743 - 25/02/2002 11:58
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
carpal tunnel
Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
|
wouldn't these infect computers be nearly cripled? All of our machines that got hit were bricks (with Nimda)
_________________________
Brad B.
|
Top
|
|
|
|
#74744 - 25/02/2002 12:02
Re: HTTP Probe locks up Empeg
[Re: SE_Sport_Driver]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
True, the infected machines do run slow, and the network traffic is impacted by these viruses. However, if the administrators aren't paying attention to that particular machine or the network is choked to begin with, they might not notice right away.
|
Top
|
|
|
|
#74745 - 25/02/2002 12:12
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
enthusiast
Registered: 10/10/2000
Posts: 350
Loc: Copenhagen SW, Denmark
|
I go through my web-logs every week and send emails to abuse@xxx. I also send send abuse reports every time I receive spam. (I have an automated process)
Marius (Escort Cab + Mark II)
|
Top
|
|
|
|
#74746 - 25/02/2002 12:16
Re: HTTP Probe locks up Empeg
[Re: jane]
|
carpal tunnel
Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
|
This is getting off topic JUST a touch, but have you guys seen the reports that many ISP's are blocking all incoming mail from Asian ISP's because the great percentage of it is spam... someone commented that these actions are doing a better job at denying the Chinese public access to the internet than the Chinese government did! :O
_________________________
Brad B.
|
Top
|
|
|
|
#74747 - 25/02/2002 12:20
Re: HTTP Probe locks up Empeg
[Re: SE_Sport_Driver]
|
addict
Registered: 14/01/2002
Posts: 443
Loc: Raleigh, NC
|
someone commented that these actions are doing a better job at denying the Chinese public access to the internet than the Chinese government did!
That would be true, if the internet only consisted of email.
|
Top
|
|
|
|
#74748 - 25/02/2002 13:22
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
addict
Registered: 09/06/1999
Posts: 483
Loc: Guernsey
|
I use an old Linux box running a minimal setup and "hardened" by Bastille as a firewall. I wouldn't trust a windows box directly connected to the Internet, no matter what was running on it...
The number of port scans I get is scary (and I don't have broadband, I'm stuck on a dialup).
_________________________
Jazz
(List 112, Mk2 42 gig #40. Mk1 4 gig #30. Mk3 1.6 16v)
|
Top
|
|
|
|
#74749 - 25/02/2002 16:01
Re: HTTP Probe locks up Empeg
[Re: Yang]
|
pooh-bah
Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
|
I just posted in the technical section that mine has locked up 4 times in the last 15 minutes. Now I know why as I am getting hit with this probe. Here is my hyperterminal output.
khttpd: listening on port 80
kftpd: listening on port 21
Using non-standard cache size 126 (adjustment 8)
player.cpp : 385:empeg-car 2.00-beta11 2002/02/08.
Loading dancefile: "/empeg/lib/visuals/bevisdance.raw"
Loading dancefile: "/empeg/lib/visuals/ymcadance.raw"
Loading dancefile: "/empeg/lib/visuals/poledance.raw"
Prolux 4 empeg car - 2.1434 Feb 7 2002
Vcb: 0x407ed000
khttpd: open(/scripts/root.exe) failed, rc=-2
khttpd: open(/MSADC/root.exe) failed, rc=-2
khttpd: open(/c/winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/d/winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..%5c../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe) failed, r
c=-2
khttpd: open(/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe) failed, r
c=-2
khttpd: open(/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cm
d.exe) failed, rc=-2
khttpd: open(/scripts/..Á../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..À/../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..À¯../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..Áœ../winnt/system32/cmd.exe) failed, rc=-2
So how do I go about blocking this port?
_________________________
Laura
MKI #017/90
whatever
|
Top
|
|
|
|
#74750 - 25/02/2002 16:05
Re: HTTP Probe locks up Empeg
[Re: Laura]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
As I said in the other forum, the empeg is the least of your worries. You need to seriously check the computers on this local network for infection.
I don't know if this is happening at your home or at your work. If it's at your work, you need to talk to your network administrator and tell them that there's infected machines trying to infect other machines. If it's at home, you DESPERATELY need a NAT-and-Firewall router sitting between your local LAN and the rest of the internet. I recommend the Linksys BEFSR41 or BEFSR11.
|
Top
|
|
|
|
#74751 - 25/02/2002 16:08
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
carpal tunnel
Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
|
Tony, would something like that work for DirecPC? They always mention Cable/DSL but I assume they mean all broadband?
_________________________
Brad B.
|
Top
|
|
|
|
#74752 - 25/02/2002 16:12
Re: HTTP Probe locks up Empeg
[Re: SE_Sport_Driver]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Tony, would something like that work for DirecPC?
I do not know how DirecPC is set up. But if it's a standalone box that's got an ethernet port that connects to the rest of the network (as opposed to being a card in a PC), then any NAT/router/firewall box will work.
|
Top
|
|
|
|
#74753 - 25/02/2002 16:37
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
carpal tunnel
Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
|
No... it is two modems (one for send, one for receive) connected to the computer via USB....
_________________________
Brad B.
|
Top
|
|
|
|
#74755 - 25/02/2002 17:16
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Pass on the Linksys -- go for NetGear instead.
Apparently at least a few ISPs have issues with the LinkSys boxes sending "short" (illegal) ethernet packets when using PPPoE connections.
Cheers
|
Top
|
|
|
|
#74756 - 25/02/2002 17:20
Re: HTTP Probe locks up Empeg
[Re: mlord]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Even with the latest firmware updates for the Linksys boxes? They've been pretty good about fixing those sorts of things in the BEFSR firmware updates.
I agree that the Netgear products are good too. In fact, in Laura's situation, -ANY- nat/firewall would be better than nothing.
|
Top
|
|
|
|
#74757 - 25/02/2002 17:27
Re: HTTP Probe locks up Empeg
[Re: mlord]
|
journeyman
Registered: 20/02/2002
Posts: 58
Loc: Bucks, UK.
|
I think that some dealers are still doing a special offer on the netgear MR314 4port "switch/NAT gateway router/802.11b wireless AP" at the moment. Perfect for in-garage-sync's.
DABS are doing it for about £160. I think that they are selling it in the US for about $180.
(if you dared leaving it in the garage)
Oli.
|
Top
|
|
|
|
#74758 - 25/02/2002 17:29
Re: HTTP Probe locks up Empeg
[Re: Oli]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
I think that the Linksys box can be had for under $100.00... Actually I could have sworn I'd seen them for under $50.00 once...
|
Top
|
|
|
|
#74759 - 25/02/2002 17:29
Re: HTTP Probe locks up Empeg
[Re: Oli]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Ingram Micro lists my price at C$258 right now, which translates to about US$163 or so. Neat.
|
Top
|
|
|
|
#74760 - 25/02/2002 17:30
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
carpal tunnel
Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
|
tempting.... i need a hub, and assume a router like this would be better? hmmm
_________________________
Brad B.
|
Top
|
|
|
|
#74761 - 25/02/2002 17:34
Re: HTTP Probe locks up Empeg
[Re: SE_Sport_Driver]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
i need a hub, and assume a router like this would be better?
Remember that these NAT devices serve a different purpose than a hub. Some of them come with an integrated hub/switch (the Linksys BEFSR41 has four 10/100mb switched ports, the BEFSR11 is a single port), but their real purpose is to protect your local network from a broadband connection while still allowing users inside the network access to the internet.
They include Network Address Translation (NAT) and a DHCP server, along with some firewall features.
But if you happen to need a 4-port hub at the same time as you need a firewall for your network, then you certainly can't go wrong with one of these products.
|
Top
|
|
|
|
#74762 - 25/02/2002 18:03
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
pooh-bah
Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
|
Ok, now it is getting complicated. I have a Cisco router for my ADSL and a 4 port Net Gear hub of which 3 ports are in use. If I get a Net Gear firewall will it plug into the hub then?
I knew my state income tax refund would get used up quickly.
_________________________
Laura
MKI #017/90
whatever
|
Top
|
|
|
|
#74763 - 25/02/2002 18:08
Re: HTTP Probe locks up Empeg
[Re: Laura]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Do it the other way around.
Connect NetGear firewall directly to ADSL (cisco), and plug the "regular" hub into the NetGear firewall. Use the hub's "uplink" port for connecting to the firewall, or use any other port in combo with a cross-over cable.
|
Top
|
|
|
|
#74764 - 25/02/2002 18:09
Re: HTTP Probe locks up Empeg
[Re: Laura]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Interesting. A nat/firewall would replace BOTH of those things in a single box. Then you could sell those two things on Ebay.
I'm surprised that the Cisco router doesn't have NAT and firewall features available already. Maybe that's all you need to do is activate those features.
|
Top
|
|
|
|
#74765 - 25/02/2002 18:10
Re: HTTP Probe locks up Empeg
[Re: mlord]
|
pooh-bah
Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
|
Ok, thank you. I'll start looking at prices on one.
_________________________
Laura
MKI #017/90
whatever
|
Top
|
|
|
|
#74766 - 25/02/2002 18:13
Re: HTTP Probe locks up Empeg
[Re: tfabris]
|
pooh-bah
Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
|
I could check into that. I believe these routers are the cheapest that Cisco has and I don't believe that the ADSL will work without it but I could be wrong.
_________________________
Laura
MKI #017/90
whatever
|
Top
|
|
|
|
|
|