A---I have apache2 running on fedora core2 and now and then get this in my error msgs

4.46.198.170 - - [22/Feb/2005:18:16:05 -0800] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x
with thousands of these chars. following. Is this an attempted secruity breech?

B---Also if some one has the time to look at this and point me a good tutorial explaining this info I would appreciate it, at time my web server has activity that I do not understand as normal user access and this is the netstat during one of those times. I do regular updatdes and scans with Clamav and keep everything else updated.

I am removing the netstat I posted here as instead of maybe helping someone else and myself by finding out what this meant, it became a target.

The answer to A is it looks like one of the old IIS exploit attempts. Nimda did that, and I'm sure others. It won't do anything to apache, other than clog up your logs.

I don't know a good general netstat report resource offhand--maybe somebody else will.

Quick comment. I notice that you have sunrpc and nfs listening. Do you have those services blocked by an upstream firewall? Might be a good idea if you don't, otherwise shut those services down.

Yeah--it's the old "buffer overrun" exploit. (an attemtped hack)
Makes for a long/cruddy looking log too. Apache properly updated usually just hesitates for a second writing
a very long log file and just keeps on doing it's thing.
If you think you just may have problems being hacked--try a search for rkhunter or chrootkit.
Install either one and run daily for a server exposed to the Internet.
Seems you are running several type servers open to the Internet, too.
Hope you are using a good firewall.

That is correct, they are blocked and now shutdown. I have since found many secruity warnings about RPC and NFS and that they should never be exposed to the internet.
I am still trying to find out about the orbit, ice, and localhost.localdo stuff. I just don't want to become part of the spam and junk contaminating our world. Thanks

For info you can try going here.
http://www.faqs.org/docs/linux_network/x-087-2-iface.netstat.html
or
http://www.computerhope.com/unix/unetstat.htm
or
http://www.comentum.com/tech-support/netstat.html
And if you really think you have problems, wade/read through this below.
http://www.cert.org/tech_tips/root_compromise.html

RPC is only needed if you are running a network printer directly on your network you need to access from this computer, or SSH logins from another computer--or a FTP server and a couple more "remotely accesible" things--which by the way you seem to have running.
How much/many was your intent to have running?

Yeah--it's the old "buffer overrun" exploit. (an attemtped hack)
.
I am liking my firewall more and more every day. I will check out these utilities rkhunter & chrootkit asap.

I need ssh to manage the web content , mysql for some web/database, php and perl projects I am working through, and that is really about it. I think I need a bare-bones linux os to operate my server but I am going through the learning stages on RH and now FDC so for now I am using that.

Your firewall will have to "allow" the port 80 requests to come through and get to the web page server (Apache)
You will notice several type exploits that come through from time to time all on the port 80.
The ones that will try your patience will be the ones that try to cram 5 or 6 through at the same time.
Most of them won't even make Apache blink. Except for the time it takes it to serve the error page--forbidden page--etc.
I did notice you were using a dynamic dns service, nothing bad, just seems to me that hackers have been targeting the blocks of dynamic dns server addresses, hopeing for a newer site to have less armor plating then the more experienced, established sites.
I use an external computer dedicated just for a firewall, and it gets a workout from time to time, but the logs of computers inside that (firewall logs) are empty now.
Good Luck.

I need ssh to manage the web content , mysql for some web/database, php and perl projects I am working through, and that is really about it. I think I need a bare-bones linux os to operate my server but I am going through the learning stages on RH and now FDC so for now I am using that.

I to am new to Linux, about a year now. I am running Apache on FC3 SElLinux, and occassionally get the same attempts. I haven't had but 2 successful attempts in about 4 months, and SE killed them both, when they tried to ovestep the bounds of the hooks! If someone is habitual, you can run a whois on their address and most of the time report them to their respective ISP.

Out of curiosty, what are you running for a router, store boought or home made?

-Jim

PS chroot jail is default in FC3.

I am so glad someone asked this question, and better yet that I decided to search the forums tonight. I too have the same problem, and didn't think much harm would come of it. Thanks for all the responses guys!!!

Out of curiosty, what are you running for a router, store boought or home made?

-Jim


DSL modem
|
v
smoothwall 2.0 firewall->DMZ--web-server
|
v
linksys switch->network

Perhaps some of y'all should look into bastille at http://bastille-linux.org . It goes through some basic hardening steps for your system, including proper setting up of ssh (using the right protocols and disallowing straight root logins, etc.) as well as a lot of other basic things that newbie "sys-admins" should do when operating publicly accessible services. Best of all, it explains what it is doing, gives you some configuration options, and leaves you with a sense of why you should do the things it suggests. It is really just a script that uses tools [usually] already installed on your system. Not to mention, it's free, open source, and though it has been around for some years, now has an FC3 version. It's a good way to be more secure *and learn how to stay that way*.

Cheers.