Tom Hudson::Logging Breakin Attempts

Tom Hudson::Logging Breakin Attempts

I got tired of seeing various entries in my server logs (people trying to run cmd.exe, exploit webdav vulnerabilities, etc.) so I wrote a bit of code that lets them know that I know what they're doing ...

When a would-be hacker tries to gain access, he's (it's always a guy) the apache module mod_rewrite redirects him to a special page that does the following:

logs the date, the hackers' ip address, his browser type, and the type of command he was trying to run;
tells him that he's been caught
shows him a table of all the other "h4x0rs" that have been caught, along with their information

My goal is several-fold:

Get as many people as possible to deploy this, so we can add more rules to mod_rewrite
After sufficient testing, add email capability (probably by using the perl Mail module) to complain to the proper ISP for each hacking attempt (probably in a once-a-day format so as not to overwhelm them)
Get the "st00p1d skr1ptz kidz" to smarten up.

So, here's what my mod_rewrite.conf file looks like: (if you download it, rename it to mod_rewrite.conf)

# author: tom hudson
# email:  tomhudson411@yahoo.com
# my rewrite rules to kill off probes
# original idea from tenor at macosxhints forum
# replace "REPLACE_YOUR_SERVERS_IP" with either your server's
# ip, or if you don't have a (semi)static ip,
# a dns alias from one of the free dns services
# (no-ip.com, afraid,org, dyndns.org)


	RewriteEngine on
	RedirectMatch permanent (.*)command.com(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.com"
	RedirectMatch permanent (.*)COMMAND.COM(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.com"
	RedirectMatch permanent (.*)command.exe(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.exe"
	RedirectMatch permanent (.*)COMMAND.EXE(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=command.exe"
	RedirectMatch permanent (.*)cmd.exe(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=cmd.exe"
	RedirectMatch permanent (.*)CMD.EXE(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=cmd.exe"
	RedirectMatch permanent (.*)root.exe(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=root.exe"
	RedirectMatch permanent (.*)ROOT.EXE(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=root.exe"
	RedirectMatch permanent (.*)[\\|\/]_vti_bin[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=vtibin"
	RedirectMatch permanent (.*)[\\|\/]_VTI_BIN[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=vtibin"
	RedirectMatch permanent (.*)[\\|\/]winnt[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=winnt"
	RedirectMatch permanent (.*)[\\|\/]WINNT[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=winnt"
	RedirectMatch permanent (.*)[\\|\/]scripts[\\|\/]\.\.(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=scripts"
	RedirectMatch permanent (.*)[\\|\/]SCRIPTS[\\|\/]\.\.(.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=scripts"
	RedirectMatch permanent (.*)[\\|\/]_mem_bin[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=membin"
	RedirectMatch permanent (.*)[\\|\/]_MEM_BIN[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=membin"
	RedirectMatch permanent (.*)[\\|\/]msadc[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=msadc"
	RedirectMatch permanent (.*)[\\|\/]MSADC[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=msadc"
	RedirectMatch permanent (.*)[\\|\/]x90[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=webdav+attack"
	RedirectMatch permanent (.*)[\\|\/]X90[\\|\/](.*)$ "http://REPLACE_WITH_YOUR_SERVERS_IP/goaway.php?cmd=webdav+attack"

I'm currently running suse, so this file lives in my /etc/apache2/conf.d directory.

Note: You will have to add mod_rewrite to your loaded modules list if it's not already loaded. Check your httpd.conf file :-)

Currently, this file catches the following:

command.com, command.exe, cmd.exe, root.exe, (anywhere in the url)
_vti_bin, _mem_bin, (forward or backslashed)
\winnt\, \scripts\, (forward or backslashed)
msadc (forward or backslashed)
x90 (forward or backslashed)

Here's the file I use to log the breakin attempts: (if you download it, rename it to go_away.php)

<html>
<head>
<!-- author: tom hudson -->
<!-- email:  tomhudson411@yahoo.com -->
<?
	$remote_addr = $_SERVER['REMOTE_ADDR'];
	$user_agent = $_SERVER['HTTP_USER_AGENT'];
	$query = $_GET['cmd'];
	$date = date('Y-m-d H:i:s');

	$log = "$date:$remote_addr:$user_agent:$query\n";
	$html_log = "<tr><td>$date</td><td>$remote_addr</td><td>$user_agent</td><td>$query</td></tr>\n";
	$fh = fopen("/srv/www/htdocs/log/hack_attempts.log", "a+");
	fwrite($fh, $log);
	fclose($fh);
	$fh = fopen("/srv/www/htdocs/log/hack_attempts.html", "a+");
	fwrite($fh, $html_log);
	fclose($fh);
?>
<title>GO AWAY LUS3R</title>
</head>
<body>
<h1>GO AWAY LUS3R</h1>
<h2>Get a life</h2>
Your IP address, along with the date and time, have been logged, LUS3R!
<hr>
Some moron running <? print $user_agent; ?>
<br>at <? print $remote_addr; ?>
<br>tried to run this command:
<br>
<? print $query; ?>
<br>
at <? print $date; ?>
<hr>
What a loser!
You are invited to join the ranks of these other n00bs:
<table border=2>
<tr bgcolor=silver><td><b>D4T3</b></td>
<td><b>LU$3R</b></td>
<td><b>UZ3D</b></td>
<td><b>F41L3D IT</b></td></tr>
<? include "/srv/www/htdocs/log/hack_attempts.html"; ?>
</table>
<h2>YFI, PFY.</h2>
</body>
</html>
</body>
</html>

I'm not too polite with them, but they don't deserve any better.

NOTE: If you're running php in secure mode (and you should be), then you have to do the following to be able to write to files:

Change the owner of the script to your web server
(in my case, wwwrun, but can also be apache or httpd depending on your distro)
Create a subdirectory called log under your script
Change the owner of the log subdirectory to the same as the web server

Why don't I just log it in /var/log? Because I'm also serving up the log to the n00b, and I don't want to give access to /var/log for that.

The last thing is a web page to check who's tried to break in. Here it is: (if you download it, rename it to view_hacker_attempts.php)

<html>
<head>
<!-- author: tom hudson -->
<!-- email:  tomhudson411@yahoo.com -->
<title>View Hacker Attempts</title>
</head>
<body>
<h1>View Hacker Attempts</h1>
<table border=2>
<tr bgcolor=silver>
<td><b>Date and Time</b></td>
<td><b>IP Address</b></td>
<td><b>User Agent</b></td>
<td><b>Attempted to Run</b></td></tr>
<? include "/srv/www/htdocs/log/hack_attempts.html"; ?>
</table>
</body>
</html>

Back to main page