One of the greens was doing some highly suspicious stuff and rather then analyze packets and log files(this site's logfile was over 200meg this week), I just decided to stop his access to the box.
[root@linuxbox root]# iptables -A INPUT -s wsjproxy2.dowjones.com -j DROP
[root@linuxbox root]# iptables -A INPUT -s wsjproxy1.dowjones.com -j DROP
[root@linuxbox root]# iptables -A INPUT -s pool-68-161-4-155.ny325.east.verizon.net -j DROP
[root@linuxbox root]# iptables -A OUTPUT -d wsjproxy1.dowjones.com -j DROP
[root@linuxbox root]# iptables -A OUTPUT -d wsjproxy2.dowjones.com -j DROP
[root@linuxbox root]# iptables -A OUTPUT -d pool-68-161-4-155.ny325.east.verizon.net -j DROP
Just incase anyone else wants to run a webserver.
How to secure your Linux box from the Green Bar Brigade
Moderators: The Dark Side of Will, Series8217
-
Lex
Re: How to secure your Linux box from the Green Bar Brigade
I was in chat the other night, the greens were talking about hacking the site. 
Funny, we get banned from Old Europe, and they just can't leave us alone.
Funny, we get banned from Old Europe, and they just can't leave us alone.
I just did a forum software upgrade from 2.0.6 to 2.0.11 because the creators of the forum software released a notice on the 18th about some security issues.
Also did a bunch of linux upgrades that should be transparent this weekend. Everything but the Bind update went smooth.
You guys should let me know if you experience anything odd or not right.
Also if you have logs or transcripts from greens talking about hacking this machine, I'd really appreciate seeing them. Thanks for the heads up.
Also did a bunch of linux upgrades that should be transparent this weekend. Everything but the Bind update went smooth.
You guys should let me know if you experience anything odd or not right.
Also if you have logs or transcripts from greens talking about hacking this machine, I'd really appreciate seeing them. Thanks for the heads up.
I would be interested in those and anything you might have on the dow jones transactions. I have a cousin who is in the State Computer Crime lab in Madison, WI who knows some people in the Fed office.
if you have sufficient evidence of computer trespassing or intent to DOS, you my friend, have a great target for a lawsuit!! DEEP POCKET DOWJONES! Any lawyer would love to take that on for you, Im sure.
Make sure you block all of South-east asia as well (Had a lot of problems with folks over in that area exploiting Apache holes). To bad the feds dont care about overseas unless there is significant $$$ involved.
# Known Crackers in China / Malaysia / etc.
$IPTABLES -A INPUT -i eth0 -s 61.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.55.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.147.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.155.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.177.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.187.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.190.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.191.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 211.119.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 211.172.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 211.173.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 218.2.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 218.4.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 220.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 220.169.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 220.170.0.0/16 -j DROP
----
BTW: How do I get access to the "special" forum ID #10?
if you have sufficient evidence of computer trespassing or intent to DOS, you my friend, have a great target for a lawsuit!! DEEP POCKET DOWJONES! Any lawyer would love to take that on for you, Im sure.
Make sure you block all of South-east asia as well (Had a lot of problems with folks over in that area exploiting Apache holes). To bad the feds dont care about overseas unless there is significant $$$ involved.
# Known Crackers in China / Malaysia / etc.
$IPTABLES -A INPUT -i eth0 -s 61.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.55.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.147.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.155.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.177.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.187.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.190.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 61.191.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 211.119.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 211.172.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 211.173.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 218.2.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 218.4.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 220.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 220.169.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 220.170.0.0/16 -j DROP
----
BTW: How do I get access to the "special" forum ID #10?
I am fully aware of the deep pockets that Dow Jones have. I had a call into IT there tuesday.
I have a couple hundred megabytes worth of evidence. It is pretty boring. Really bad attempt at a distributed denial of service attack. I originally thought it might have been something more sophisticated.
Had a call into Verizon today about this user s account today: pool-68-161-6-33.ny325.east.verizon.net
I have a couple hundred megabytes worth of evidence. It is pretty boring. Really bad attempt at a distributed denial of service attack. I originally thought it might have been something more sophisticated.
Had a call into Verizon today about this user s account today: pool-68-161-6-33.ny325.east.verizon.net
-
Doug Chase
- Posts: 201
- Joined: Thu Nov 18, 2004 2:23 pm
- Location: Duvall, WA
- Contact:
I'm occasionally seeing out of memory errors.eHoward wrote:You guys should let me know if you experience anything odd or not right.
After posting a new topic I got this error:
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 184320 bytes) in /home/httpd/vhosts/pennockssucks.saturnet.net/httpdocs/phpBB/includes/template.php(127) : eval()'d code on line 111
I hit refresh and it worked, but it created a duplicate new topic so apparently the information got submitted correctly the first time.
When trying to access this url: http://pennockssucks.saturnet.net/phpBB ... c.php?t=62
I got this error:
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 184320 bytes) in /home/httpd/vhosts/pennockssucks.saturnet.net/httpdocs/phpBB/includes/page_header.php on line 386
Again, hitting refresh worked fine.
I saw similar erros a few more times when trying to access a post or a different forum, but since I hadn't seen this post yet I didn't collect any information.
-
Doug Chase
- Posts: 201
- Joined: Thu Nov 18, 2004 2:23 pm
- Location: Duvall, WA
- Contact:
Another one. Clicking on this link: http://pennockssucks.saturnet.net/phpBB ... .php?t=181
Gave me this error:
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 46080 bytes) in /home/httpd/vhosts/pennockssucks.saturnet.net/httpdocs/phpBB/includes/functions.php on line 647
I'll assume at this point you have enough info to track this down so I'll stop submitting bug reports unless you need more.
Gave me this error:
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 46080 bytes) in /home/httpd/vhosts/pennockssucks.saturnet.net/httpdocs/phpBB/includes/functions.php on line 647
I'll assume at this point you have enough info to track this down so I'll stop submitting bug reports unless you need more.