Subj : Apache and Port 80 hits?
To   : All
From : Mike Luther
Date : Thu Oct 25 2001 03:02 am

This is another example of what I think ought to be in this echo.

If it is not I'll gladly post it elsewhere..

OK, so I have Apache up an running for test purposes against an available Port 
80 system.  It's up for test on my temporarily chosen hardware box for my fixed 
address how-to-do-all-this learning.

But gee.  Courtesy of WN32/Nimda.A, one of the ports I've had to consider 
dumping is Port 80.  On this cable broadband system, I'm now being dosed with 
an more or less minimum of a Port 80 hammer probe every single minute of the 
day!

During the research on the successful NETBIOS over TCP/IP that we still do not 
really know was that or pure NETBIOS and just Port 137/138 shifted to Port 139 
and Nimda.A dumping tons of files on me, I also took a look at Port 80 scans, 
as well as Port 25, 26, and a bunch of others.

I set up IJFIRE to drop these probe packets and log them so I could analyze the 
whambo profile.  In my case, a minimum of about 130 discrete systems octet 
addresses are whamming me a day.  During new variant assaults, this number 
rises to about 4000 hits per day from over 250 different systems per my 
research here.  My research indicates also that approximately 95% of the 
current attack profile is coming from my own IP providers WAN, from different 
cities on it all over the USA and these are allegedly Port 80 probes.   
Interesting.

I can take rather large samples of the octets from the logs and look back to 
them with HOST.  They will be reported back as not resolvable to a name. To me 
that suggests that these might be spoofed addresses.  Some of them do come back 
as nameable .. to the various city-nets for this IP, which is the COX system, 
BTW.  As earlier noted, a few come from outside COX.  In both cases of the Port 
139 NETBIOS infection runs, the packets were IPTRACED and IPFORMAT demonstrated 
to have come from a box .. in my own city-net ., for the COX system,  However I 
never got to catch the perp at the onset of the infection with IPTRACE to get 
us a look at the magic cookie and so on. Tooling up to try and snare that with 
a spare box is both a thought to Lee Aroner's honeypot name for it .. or .. 
maybe to the box that hosts to new Apache test server if I dare.  I dunno yet.

But more focally here for this echo ..

What should be my OS2INST game plan for using APACHE, for a start? Consider 
that obviously, Port 80 has to be opened up and incoming packets cannot be 
dumped if I ever want to use an HTML server on my fixed address?

Can someone begin the teaching process here on how to best use OS/2 for an 
INTERNET SERVER operation and minimize the risk from this new round of HTML 
server attacks?  I really do not want my simple humble web page to receive a 
graceful JAVA snip appendage in it that goes off trying to do something it 
can't do in OS/2, but doesn't know that anyway!

How do we best become Web Empresario's all here?

And after we do that with APACHE, how does all this play out with the formal 
IBM offerings for same?  I have a DEVCON subscription. Surely goodness and 
mercy will follow all thise HUNDREDS of CD-ROM disks all the rest of my life 
somehow, no?

    ;)

Thank you!


--> Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001



--- Maximus/2 3.01
 * Origin: Ziplog Public Port (1:117/3001)

.