Mr Tweaks - Back to homepage
 
   

Shop | How to | Reg Edit Tips | Got An Error? | Mac Tips | About Us | Products Page | Tips | Cable & ADSL | News & Events | Strange Tips | Contact Us | Links | Security

   

7. What do these other logs mean?

The following information helps interpret the meaning of events generated by logging systems, not necessarily from a firewall. They might come from the service itself, intrusion detection systems, or really smart firewalls.

7.1 What do the following DNS errors mean?

Response from unexpected source
A DNS server might report this when it receives an incoming response with a different IP address than the corresponding request. There are several causes of this.

Remember that DNS servers will "recursively" send out queries when resolving names on behalf of clients. Each outgoing request is given a unique transaction identifier; incoming responses contain the same transaction identifier.

Therefore, if a server sends request #45689 to server 192.0.2.131, but gets response #45689 back from server 192.0.2.3, then it triggers this alert.

The most common cause of this is due to proxying, caching, and dual-homed hosts. For example, the DNS server might have two IP addresses: [192.0.2.131] and [192.0.2.3]. The typical way of writing a DNS server is to not bind the sockets to individual IP addresses. What this means is that the DNS server does not know which IP address the request was received on, nor does it tell the underlying TCP/IP stack which IP address to use when sending the response. Therefore, when the DNS server sends the response, the underlying stack uses one of the IP addresses at random (which can be the wrong one).

Various errors with 127.0.0.1
Some servers are misconfigured to map this address. On the other hand, it is also a hacker technique to cause names within the hacker domain to resolve to addresses within a company (including localhost/127.0.0.1).
Zone transfers (AXFR)
A hacker is attempting to list all the DNS names within a domain. This is an attempt to "map" your network. Managers should consider using split DNS aka shadow domains, whereby the public DNS contains only those records that must be accessed publicly, but use a separate (and distinct) DNS server for internal machines. Note that some people are fairly benign. If the transfers are coming from the IP addresses 128.9.160.57 and 198.32.4.13, you might want to let them through. http://www.isi.edu/~bmanning/in-addr-audit.html.

7.2 What do the following URL's mean in weblogs?

A lot of these pop up in logs as "404 Not Found" errors:
favicon.ico
In MSIE5 (Microsoft Internet Explorer v.50), when a user adds a link to his/her "Favorites" (Bookmarks) or drags the link to the desktop, the browser attempts to retrieve an icon for it. It first searches in the same directory as the file being linked to, then walks up the directory structure until it hits the root. A lot of sites (example: Yahoo!) now supply icons for their sites.
robots.txt
Whenever a search engine (like AltaVista, Infoseek, Excite, etc.) attempts to index your site, it will first get the file "/robots.txt". If you don't want parts of your website indexed, you can put rules here. On the other hand, hackers will sometimes grab this file as well on the assumption that if you tell a search engine not to index some directories, they might be something interesting to look at. Indeed, network managers do believe that putting directories in "robots.txt" hides them, when in reality it exposes them more.
URL's beginning with http://
People occasionally see the following type of line in their webserver log:
14:03:00 192.0.2.243 GET /index.html - 200 Mozilla/4.0 - -
14:03:03 192.0.2.243 GET http://www.example.com/  - 200 - - -
	

The first is a normal line, but what is that complete URL starting with "HTTP"? This is an attempt to see if the machine supports proxying. This is how pretty much all HTTP proxies work -- they receive a complete URL, then fetch that URL for the user.

See section 5.3 for more info.

7.3 What do the following mean in my RPC portmapper logs?

Clients lookup an RPC program in portmapper/rpcbind in order to find out which port number the service runs on. A hacker will either dump all the listings (using rpcinfo -p <host>) or lookup the mapping (using getport) for the particular RPC he/she wants to exploits.

As always, these attempts are usually from scans against thousands/millions of machines rather than against you in particular. Every few months, a new exploit script is published for Linux or Solaris services, and script kiddies start scanning the Internet for that service. Most of the vulnerabilities in the services listed are buffer overflows.

Note that on Sun Solaris machines, these services usually have port numbers in the range starting at port 32770. Many other times, RPC services will have ports below 1024, on the assumption that it provides a little better security because

More info on RPC can be found in RFC1833.txt.

7.3.1 What do the following RPC portmapper commands mean?

The portmapper service has six commands (numbered 0-5).
0 NULL This is a "ping" style command -- it just verifies that the service is running. You see these almost never.
1 SET If you see this go across the wire, then it is an intrusion attempt. This should be used only internally as RPC-based programs register themselves with portmapper.
2 UNSET If you see this go across the wire, then it is an intrusion attempt. This should be used only internally as RPC-based programs unregister themselves with portmapper. It is sometimes used as a DoS attack in order to kill your services. Such attacks are frequently spoofed.
3 GETPORT This is the normal use of portmapper that you should see 99.9% of the time going across the wire. An external client looks up the corresponding port number for the desired service. When reviewing logs, if you see requests to strange services, you can lookup the program number in the table below.
4 DUMP This dumps all the mappings in the portmapper database. The UNIX command "rpcinfo -p" carries out this command. This is a common reconnaissance technique for hackers.
5 CALLIT This may be an attempt to compromise the system. The callit feature was created for RPC broadcasts. Because a desired service runs on different ports on different systems, one cannot simply broadcast to it. Therefore, portmapper will accept incoming broadcasts on port 111, then forward them to the appropriate program. However, some even protocols that don't support broadcasts can be compromised by sending the requests through this service.

7.3.2 What do the following RPC program numbers mean?

An RPC program number is assigned by Sun (rpc@sun.com).

I've put an astrisk * next to the ones that have been seen to use the callit feature.

100001 rstatd Allows CPU, network traffic, and disk statistics to be remotely monitored. Hackers may use this as part of recon.
100002 rusersd Lists the users on a machine, which reveals lots of info to hackers.
100005 NFS mountd In late 1998, the RedHat Linux distribution contained a buffer overflow bug in the mountd service running at port 635. The popularity of RedHat and the fact that the service ran at a common port number resulting in popularity among hackers. Not only did hackers scour the Internet for such machines, but a worm was created to spread via this service. [CA-98.12]
100008 walld
*
The program walld, which sends messages to users from the system administrator (such as notifying them the system is about to be rebooted, so they had better save their work). Messages are frequently sent via callit broadcasts.
100068 rpc.cmsd Solaris Calender Messaging Service

In the middle of 1999, a buffer-overflow was found in this service. Immediately after this discovering, hackers started doing extensive scans for this service, resulting in thousands of hacks against web-sites using Solaris. [CA-99-08]

100083 ToolTalk ToolTalk (rpc.ttdbserverd) [CA-98.11]
100232 rpc.sadmind Sun Solstice Adminsuite, installed by default on Solaris systems 2.5 and above (2.4 and below installed a similar service called rpc.admind). [CA-99-16]
300019 rpc.amd Linux Automounter

In late 1999, a buffer overflow bug was found in the logging service. While any code based upon the original BSD sources is vulnerable, hackers are probably scanning for the Linux implementation includes in many distros. [CA-99-12]

300055 unixware
*
I'm not sure what this service is, but UnixWare sends callit broadcasts across this program number.
300214 FrameMaker
*
This number has been assigned to FrameMaker for UNIX. You can download an evaluation copy of this program at: http://www.adobe.com/support/downloads/fmunix.htm. Apparently, the license manager supports callit broadcasts. This license manager supports a "roving" license whereby many people can have it installed, but only a few can use the product.
390109 nsrstat
*
Legato NetWorker Server Remote Status. This is a backup service (also OEMed as Solstice Backup). Status updates are broadcast via callit.

7.4 What do the following mean in my SMTP (e-mail) logs?

While not your classic packet filtering firewall, SMTP (e-mail) are important gateways between the outside world and your internal network. They should be considered along the same lines as your firewall.

7.4.1 What is this message about "relay" attempts?

A relay is where somebody sends your e-mail server not destined for anybody who you serve e-mail for. For example, I might connect to your e-mail server and attempt to send mail to "test@example.com". Your e-mail server should not accept the e-mail ("relay not allowed"). Your e-mail server should only accept incoming e-mail to your users (or outgoing e-mail from your users).

The problem is that many administrators simply install servers without taking these simple precautions. Spammers take advantage of this fact. They give a single e-mail to the mail server and a recipient list containing hundreds of unrelated recipients. This allows them to send huge quantities of e-mail using a slow dialup connection. This is important because once the ISPs get enough complaints, they will terminate the user's account, so they must continual get new dialup connections. It also has the effect of partially hiding the true source of the spam.

If you get error messages about relaying, that is a good thing: you've configured your server correctly. If you don't get such messages, this is a bad thing. This means that you are probably not rejecting relayed messages. Has your server seemed slow lately?

Not only do spammers hunt for open relays, anti-spam organizations do the same in an attempt to "blacklist" open relays. Some of the good guys are:

IMC
The Internet Mail Consortium reports that in 1999, roughly 17% of e-mail systems had open relays.
MAPS RBL
The MAPS RBL (Realtime Blackhole List) allows you to configure your e-mail server to blackball known open relays that send out bulk spam. It is used by a huge percentage of e-mail servers on the Internet.
ORBS
Scans the Internet looking for open relays. ORBS uses relay tests from New Zealand (e.g. manawatu.co.nz).

Not only do you receive relay attempts from spammers, you also get attempts from anti-spam organizations. There are several organizations that regularly scan the Internet looking for open relays. The most common is from "manawatu.co.nz"; don't get too upset -- they

7.4.2 What are these messages about rejected EXPN and VRFY attempts?

The "expand" and "verify commands will expand mailing lists or verify user names (respectively).

If you do the command "VRFY root", you might be able to find out the postmaster's e-mail address. This is good reconnaissance technique.

By doing a "VRFY decode" or "VRFY uudecode", you might be able to find out some security holes in the system related to these subsystems. Other commonly scanned user names are "bbs", "lp", "demo", "guest", and "debug".

Some systems have buffer overflows in this command, either in the command itself or in the logging system behind the command. You might see entries for very long strings like "xxxxxxxxxxxxxxxxxxxxxxxx".

If you see a bunch of these in a row, you are probably being scanned by a vulnerability scanner (ISS/CyberCop/Nessus). They will generate a bunch of other junk in your logs as well.

7.5 What are these identd/auth messages?

The UNIX identd service identifies which of the logged on users owns a particular TCP connection.

7.5.1 What does No Ident response mean?

Some IRC servers spit this out. It means that the ident service at port 113 isn't available. Either the firewall is blocking it or it isn't running. Most IRC clients come with an ident service.
 
More
   

Click Here!