|
7. What do these other logs mean?
The following information helps interpret the meaning of events generated by logging
systems, not necessarily from a firewall. They might come from the service itself, intrusion
detection systems, or really smart firewalls.
7.1 What do the following DNS errors mean?
- Response from unexpected source
- A DNS server might report this when it receives an incoming response with a different IP
address than the corresponding request. There are several causes of this.
Remember that
DNS servers will "recursively" send out queries when resolving names on behalf
of clients. Each outgoing request is given a unique transaction identifier;
incoming responses contain the same transaction identifier.
Therefore, if a server sends request #45689 to server 192.0.2.131, but gets response
#45689 back from server 192.0.2.3, then it triggers this alert.
The most common cause of this is due to proxying, caching, and dual-homed hosts. For
example, the DNS server might have two IP addresses: [192.0.2.131] and [192.0.2.3]. The
typical way of writing a DNS server is to not bind the sockets to individual IP addresses.
What this means is that the DNS server does not know which IP address the request was
received on, nor does it tell the underlying TCP/IP stack which IP address to use when
sending the response. Therefore, when the DNS server sends the response, the underlying
stack uses one of the IP addresses at random (which can be the wrong one).
- Various errors with 127.0.0.1
- Some servers are misconfigured to map this address. On the other hand, it is also a
hacker technique to cause names within the hacker domain to resolve to addresses within a
company (including localhost/127.0.0.1).
- Zone transfers (AXFR)
- A hacker is attempting to list all the DNS names within a domain. This is an attempt to
"map" your network. Managers should consider using split DNS aka shadow
domains, whereby the public DNS contains only those records that must be accessed
publicly, but use a separate (and distinct) DNS server for internal machines. Note that
some people are fairly benign. If the transfers are coming from the IP addresses
128.9.160.57 and 198.32.4.13, you might want to let them through. http://www.isi.edu/~bmanning/in-addr-audit.html.
7.2 What do the following URL's mean in weblogs?
A lot of these pop up in logs as "404 Not Found" errors:
- favicon.ico
- In MSIE5 (Microsoft Internet Explorer v.50), when a user adds a link to his/her
"Favorites" (Bookmarks) or drags the link to the desktop, the browser attempts
to retrieve an icon for it. It first searches in the same directory as the file being
linked to, then walks up the directory structure until it hits the root. A lot of sites
(example: Yahoo!) now supply icons for their sites.
- robots.txt
- Whenever a search engine (like AltaVista, Infoseek, Excite, etc.) attempts to index your
site, it will first get the file "/robots.txt". If you don't want parts of your
website indexed, you can put rules here. On the other hand, hackers will sometimes grab
this file as well on the assumption that if you tell a search engine not to index some
directories, they might be something interesting to look at. Indeed, network managers do
believe that putting directories in "robots.txt" hides them, when in reality it
exposes them more.
- URL's beginning with http://
- People occasionally see the following type of line in their webserver log:
14:03:00 192.0.2.243 GET /index.html - 200 Mozilla/4.0 - -
14:03:03 192.0.2.243 GET http://www.example.com/ - 200 - - -
The first is a normal line, but what is that complete URL starting with
"HTTP"? This is an attempt to see if the machine supports proxying. This is how
pretty much all HTTP proxies work -- they receive a complete URL, then fetch that URL for
the user.
See section 5.3
for more info.
7.3 What do the following mean in my RPC
portmapper logs?
Clients lookup an RPC program in portmapper/rpcbind
in order to find out which port number the service runs on. A hacker will either dump
all the listings (using rpcinfo -p <host>) or lookup the mapping (using getport)
for the particular RPC he/she wants to exploits. As always, these attempts are usually
from scans against thousands/millions of machines rather than against you in particular.
Every few months, a new exploit script is published for Linux or Solaris services, and
script kiddies start scanning the Internet for that service. Most of the vulnerabilities
in the services listed are buffer overflows.
Note that on Sun Solaris machines, these services usually have port numbers in the
range starting at port
32770. Many other times, RPC services will have ports below 1024, on the assumption
that it provides a little better security because
More info on RPC can be found in RFC1833.txt.
7.3.1 What do the following RPC portmapper commands mean?
The portmapper service has six commands (numbered 0-5).
| 0 |
NULL |
This is a "ping" style command -- it just verifies that the service is
running. You see these almost never. |
| 1 |
SET |
If you see this go across the wire, then it is an intrusion attempt. This should be
used only internally as RPC-based programs register themselves with portmapper. |
| 2 |
UNSET |
If you see this go across the wire, then it is an intrusion attempt. This should be
used only internally as RPC-based programs unregister themselves with portmapper. It is
sometimes used as a DoS attack in order to
kill your services. Such attacks are frequently spoofed. |
| 3 |
GETPORT |
This is the normal use of portmapper that you should see 99.9% of the time going
across the wire. An external client looks up the corresponding port number for the desired
service. When reviewing logs, if you see requests to strange services, you can lookup the
program number in the table
below. |
| 4 |
DUMP |
This dumps all the mappings in the portmapper database. The UNIX command "rpcinfo
-p" carries out this command. This is a common reconnaissance technique for
hackers. |
| 5 |
CALLIT |
This may be an attempt to compromise the system. The callit feature was created
for RPC broadcasts. Because a desired service runs on different ports on different
systems, one cannot simply broadcast to it. Therefore, portmapper will accept incoming
broadcasts on port 111, then forward them to the appropriate program. However, some even
protocols that don't support broadcasts can be compromised by sending the requests through
this service. |
7.3.2 What do the following RPC program numbers mean?
An RPC program number is assigned by Sun (rpc@sun.com). I've put an astrisk * next to
the ones that have been seen to use the callit feature.
| 100001 |
rstatd |
Allows CPU, network traffic, and disk statistics to be remotely monitored. Hackers may
use this as part of recon. |
| 100002 |
rusersd |
Lists the users on a machine, which reveals lots of info to hackers. |
| 100005 |
NFS mountd |
In late 1998, the RedHat Linux distribution contained a buffer overflow bug in the mountd
service running at port 635. The popularity
of RedHat and the fact that the service ran at a common port number resulting in
popularity among hackers. Not only did hackers scour the Internet for such machines, but a
worm
was created to spread via this service. [CA-98.12] |
| 100008 |
walld
* |
The program walld, which sends messages to users from the system
administrator (such as notifying them the system is about to be rebooted, so they had
better save their work). Messages are frequently sent via callit broadcasts. |
| 100068 |
rpc.cmsd |
Solaris Calender Messaging Service In the middle of 1999, a buffer-overflow
was found in this service. Immediately after this discovering, hackers started doing
extensive scans for this service, resulting in thousands of hacks against web-sites using
Solaris. [CA-99-08]
|
| 100083 |
ToolTalk |
ToolTalk (rpc.ttdbserverd) [CA-98.11] |
| 100232 |
rpc.sadmind |
Sun Solstice Adminsuite, installed by default on Solaris systems 2.5 and above
(2.4 and below installed a similar service called rpc.admind). [CA-99-16] |
| 300019 |
rpc.amd |
Linux Automounter In late 1999, a buffer overflow bug was found in the
logging service. While any code based upon the original BSD sources is vulnerable, hackers
are probably scanning for the Linux implementation includes in many distros. [CA-99-12] |
| 300055 |
unixware
* |
I'm not sure what this service is, but UnixWare sends callit broadcasts
across this program number. |
| 300214 |
FrameMaker
* |
This number has been assigned to FrameMaker for UNIX. You can download an evaluation
copy of this program at: http://www.adobe.com/support/downloads/fmunix.htm.
Apparently, the license manager supports callit broadcasts. This license manager
supports a "roving" license whereby many people can have it installed, but only
a few can use the product. |
| 390109 |
nsrstat
* |
Legato NetWorker Server Remote Status. This is a backup service (also OEMed as
Solstice Backup). Status updates are broadcast via callit. |
7.4 What do the following mean in my SMTP
(e-mail) logs?
While not your classic packet filtering firewall, SMTP (e-mail) are important gateways
between the outside world and your internal network. They should be considered along the
same lines as your firewall.
7.4.1 What is this message about "relay" attempts?
A relay is where somebody sends your e-mail server not destined for anybody who
you serve e-mail for. For example, I might connect to your e-mail server and attempt to
send mail to "test@example.com". Your e-mail server should not accept the e-mail
("relay not allowed"). Your e-mail server should only accept incoming e-mail to
your users (or outgoing e-mail from your users). The problem is that many
administrators simply install servers without taking these simple precautions. Spammers
take advantage of this fact. They give a single e-mail to the mail server and a recipient
list containing hundreds of unrelated recipients. This allows them to send huge quantities
of e-mail using a slow dialup connection. This is important because once the ISPs get
enough complaints, they will terminate the user's account, so they must continual get new
dialup connections. It also has the effect of partially hiding the true source of the
spam.
If you get error messages about relaying, that is a good thing: you've configured your
server correctly. If you don't get such messages, this is a bad thing. This means that you
are probably not rejecting relayed messages. Has your server seemed slow lately?
Not only do spammers hunt for open relays, anti-spam organizations do the same in an
attempt to "blacklist" open relays. Some of the good guys are:
- IMC
- The Internet Mail Consortium reports that in 1999, roughly 17% of e-mail systems had
open relays.
- MAPS RBL
- The MAPS RBL (Realtime Blackhole List) allows you to configure your e-mail server to
blackball known open relays that send out bulk spam. It is used by a huge percentage of
e-mail servers on the Internet.
- ORBS
- Scans the Internet looking for open relays. ORBS uses relay tests from New Zealand (e.g.
manawatu.co.nz).
Not only do you receive relay attempts from spammers, you also get attempts from
anti-spam organizations. There are several organizations that regularly scan the Internet
looking for open relays. The most common is from "manawatu.co.nz"; don't get too
upset -- they
7.4.2 What are these messages about rejected EXPN and VRFY
attempts?
The "expand" and "verify commands will expand mailing lists or verify
user names (respectively). If you do the command "VRFY root", you might be
able to find out the postmaster's e-mail address. This is good reconnaissance technique.
By doing a "VRFY decode" or "VRFY uudecode", you might be able to
find out some security holes in the system related to these subsystems. Other commonly
scanned user names are "bbs", "lp", "demo",
"guest", and "debug".
Some systems have buffer overflows in this command, either in the command itself or in
the logging system behind the command. You might see entries for very long strings like
"xxxxxxxxxxxxxxxxxxxxxxxx".
If you see a bunch of these in a row, you are probably being scanned by a vulnerability
scanner (ISS/CyberCop/Nessus). They will generate a bunch of other junk in your logs as
well.
7.5 What are these identd/auth messages?
The UNIX identd service identifies which of the logged on users owns a
particular TCP connection.
7.5.1 What does No Ident response mean?
Some IRC servers spit this out. It means that the ident service
at port 113
isn't available. Either the firewall is blocking it or it isn't
running. Most IRC clients come with an ident service.
More
|
