HTTP Probe locks up Empeg

Just a warning, don't leave your empeg exposed to the world on port 80. I saw several requests in the serial output for cmd.exe and other programs that were aparently exploits for IIS (big surprise). I saw a couple control characters in the path that was requested, which were incrementing, and eventually locked the empeg up.

I normally don't have anything up on port 80 as I've got cable modem service, but was showing the new XML stuff to a friend and noticed this happening. I've got a router/firewall, so I normally never notice any traffic..

Unforutnately, by the time I got a packet sniffer working, they had aparently moved on, so I couldn't get the exact request. The path requested was something like 'path\path\...<control character>...\system32\cmd.exe' or something.. sorry for not having any more details..

Probably overflowed a buffer or something in khttpd.

The code checks most buffer sizes, but definitely has shortcuts here and there which could be exploited (and which I'm not really going to worry about here).

Cheers

If you ever run the product "Black Ice Defender" on any publicly-exposed PC, you will be AMAZED at how frequently there are attacks against IP addresses. IP exploit attacks are a constant, unyeilding barrage against anything that responds to pings that is exposed on the public internet.

For those who haven't tried Black Ice Defender, I highly recommend checking it out. It's a very cool product. It will identify anyone attempting to attack you, identify the type of attack, block the attack, and link you to a detailed description of the type of attack.

Thing is, those requests were probably made from some machine where the operator doesn't even know they were being made. Once a machine is infected with certain of those viri, they become zombies and look for other machines to infect. I get requests for cmd.exe on my cable modem web server all the time. It's fruitless, as I've long ago patched IIS, but they keep coming.

Chris

My Red Hat web server (logjamming.com) gets nailed CONSTANTLY with attempted IIS exploits like what you guys are describing. Seems to be some left over code red variants that infected unknowing peoples computers and they are used as bounce points for exploit attacks. We've tracked the attacking hosts down at least 5 times to find it was some guy at a university or business who had no idea his machine was infected. Incredibly annoying.

Right, I forgot to mention that. Most of the attacks are the result of web-aware viruses which attempt to auto-exploit known bugs in web server software. We're still seeing Nimda and Code Red attempts against our server on a constant basis. This means that each of those attacking sites is infected with the virus and the machine operator doesn't know they are infected.

wouldn't these infect computers be nearly cripled? All of our machines that got hit were bricks (with Nimda)

True, the infected machines do run slow, and the network traffic is impacted by these viruses. However, if the administrators aren't paying attention to that particular machine or the network is choked to begin with, they might not notice right away.

I go through my web-logs every week and send emails to abuse@xxx. I also send send abuse reports every time I receive spam. (I have an automated process)

Marius (Escort Cab + Mark II)

This is getting off topic JUST a touch, but have you guys seen the reports that many ISP's are blocking all incoming mail from Asian ISP's because the great percentage of it is spam... someone commented that these actions are doing a better job at denying the Chinese public access to the internet than the Chinese government did! :O

someone commented that these actions are doing a better job at denying the Chinese public access to the internet than the Chinese government did!

That would be true, if the internet only consisted of email.

I use an old Linux box running a minimal setup and "hardened" by Bastille as a firewall. I wouldn't trust a windows box directly connected to the Internet, no matter what was running on it...

The number of port scans I get is scary (and I don't have broadband, I'm stuck on a dialup).

I just posted in the technical section that mine has locked up 4 times in the last 15 minutes. Now I know why as I am getting hit with this probe. Here is my hyperterminal output.

khttpd: listening on port 80
kftpd: listening on port 21
Using non-standard cache size 126 (adjustment 8)
player.cpp : 385:empeg-car 2.00-beta11 2002/02/08.
Loading dancefile: "/empeg/lib/visuals/bevisdance.raw"
Loading dancefile: "/empeg/lib/visuals/ymcadance.raw"
Loading dancefile: "/empeg/lib/visuals/poledance.raw"
Prolux 4 empeg car - 2.1434 Feb 7 2002
Vcb: 0x407ed000
khttpd: open(/scripts/root.exe) failed, rc=-2
khttpd: open(/MSADC/root.exe) failed, rc=-2
khttpd: open(/c/winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/d/winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..%5c../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe) failed, r
c=-2
khttpd: open(/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe) failed, r
c=-2
khttpd: open(/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cm
d.exe) failed, rc=-2
khttpd: open(/scripts/..Á../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..À/../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..À¯../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..Áœ../winnt/system32/cmd.exe) failed, rc=-2


So how do I go about blocking this port?

As I said in the other forum, the empeg is the least of your worries. You need to seriously check the computers on this local network for infection.

I don't know if this is happening at your home or at your work. If it's at your work, you need to talk to your network administrator and tell them that there's infected machines trying to infect other machines. If it's at home, you DESPERATELY need a NAT-and-Firewall router sitting between your local LAN and the rest of the internet. I recommend the Linksys BEFSR41 or BEFSR11.

Tony, would something like that work for DirecPC? They always mention Cable/DSL but I assume they mean all broadband?

Tony, would something like that work for DirecPC?

I do not know how DirecPC is set up. But if it's a standalone box that's got an ethernet port that connects to the rest of the network (as opposed to being a card in a PC), then any NAT/router/firewall box will work.

No... it is two modems (one for send, one for receive) connected to the computer via USB....

If the service presents itself as a RAS dialup connection on your PC then you should be able to use one of the personal firewalls, take your pick from:

- Tiny Firewall http://www.tinysoftware.com/
- Zone Alarm http://www.zonelabs.com/
- Black Ice Defender http://www.iss.net/products_services/hsoffice_protection/

Pass on the Linksys -- go for NetGear instead.

Apparently at least a few ISPs have issues with the LinkSys boxes sending "short" (illegal) ethernet packets when using PPPoE connections.

Cheers

Even with the latest firmware updates for the Linksys boxes? They've been pretty good about fixing those sorts of things in the BEFSR firmware updates.

I agree that the Netgear products are good too. In fact, in Laura's situation, -ANY- nat/firewall would be better than nothing.

I think that some dealers are still doing a special offer on the netgear MR314 4port "switch/NAT gateway router/802.11b wireless AP" at the moment. Perfect for in-garage-sync's.

DABS are doing it for about £160. I think that they are selling it in the US for about $180.

(if you dared leaving it in the garage)

Oli.

I think that the Linksys box can be had for under $100.00... Actually I could have sworn I'd seen them for under $50.00 once...

Ingram Micro lists my price at C$258 right now, which translates to about US$163 or so. Neat.

tempting.... i need a hub, and assume a router like this would be better? hmmm

i need a hub, and assume a router like this would be better?

Remember that these NAT devices serve a different purpose than a hub. Some of them come with an integrated hub/switch (the Linksys BEFSR41 has four 10/100mb switched ports, the BEFSR11 is a single port), but their real purpose is to protect your local network from a broadband connection while still allowing users inside the network access to the internet.

They include Network Address Translation (NAT) and a DHCP server, along with some firewall features.

But if you happen to need a 4-port hub at the same time as you need a firewall for your network, then you certainly can't go wrong with one of these products.

Ok, now it is getting complicated. I have a Cisco router for my ADSL and a 4 port Net Gear hub of which 3 ports are in use. If I get a Net Gear firewall will it plug into the hub then?

I knew my state income tax refund would get used up quickly.

Do it the other way around.

Connect NetGear firewall directly to ADSL (cisco), and plug the "regular" hub into the NetGear firewall. Use the hub's "uplink" port for connecting to the firewall, or use any other port in combo with a cross-over cable.

Interesting. A nat/firewall would replace BOTH of those things in a single box. Then you could sell those two things on Ebay.

I'm surprised that the Cisco router doesn't have NAT and firewall features available already. Maybe that's all you need to do is activate those features.

Ok, thank you. I'll start looking at prices on one.

I could check into that. I believe these routers are the cheapest that Cisco has and I don't believe that the ADSL will work without it but I could be wrong.

I don't believe that the ADSL will work without it but I could be wrong.

Does this Cisco router plug directly into the ADSL telephone wire, or is there a separate ADSL modem?

If the former, then you could be right. If the latter, there is a good possibility that any router will work if it's configured right.

Last time I saw this, I was at work last month. I promptly called our IM guys, who then sent out an e-mail saying "Don't $#@$ forget to patch your lab servers!".

I just got another one today, and checking my wormattack logs on my Linux server here, it did make a comeback in the past few days. All on a mostly closed network.

The phone line goes directly into it so I think I have to have this router. Got it when ADSL was installed. It's a shame that we can't somehow use programs like ZoneAlarm to protect the empeg from attacks too. Oh well, I need another gaget.

If you're talking about, say a BEFSR41, I got mine for $50 but that was after a $50 rebate. This was over a year ago. Great router, effortless to configure and hasn't failed me once.

I know I asked this already, but is there any reason you're not just changing your kHTTPd port to avoid these hacks? If your HTTP daemon isn't running on 80, you won't get hit by these viruses. This is much simpler than buying hardware, and it's free...

You mentioned having to change to URL to the empeg after changing the port. How would that work?

Well 80 is the default port so normally you don't need to specify it. If you change the default port on your Empeg, you'll just have to go

http://192.168.0.0:8080/

If your port is 8080. A few extra characters to type or bookmark.

The other thing to keep in mind is that Internet Explorer requires the http:// if the port changes. Ensure to manually type it out if you decide to change the web port in hijack.

Thanks for explaining it to me. I will do that and see how well it works. I'll also look into the cost of a Net Gear firewall. Either way I will put it under some protection.

Keep in mind that I'm recommending the firewall box not for the empeg, but for any actual computers on the network. As I said, if your local network is open to the internet, the empeg is the least of your worries.

Anyone with a broadband always-on connection should, at an absolute minimum, be hiding behind a NAT layer. That's just my generalized advice. Products like ZoneAlarm are nice, but they're not the whole solution.

One other note: if you still want your friends to download from the empeg, and it's behind the firewall, you will need to do some configuration tricks to get it to work for them. Either create a DMZ (usually used for web servers on firewalled networks, which, actually, that's what the empeg is doing in this capacity), or by doing port forwarding or something like that. This hopefully will be covered in the manual for the firewall.

If you really want a netgear, I've got a RT311 that I wouldn't mind selling. I stopped using it because it seemed to stop sending DNS queries through my cable modem after a while.. As Cable modems are tempermental things, I really don't know if it's the router, or just the fact that cable modems like to change your IP in funny ways, and it can't handle it.. *shrug*

I would personally suggest getting a LinkSys.. The Netgear uses a menu driven (through serial/telnet) interface that umm.. leaves a lot to be desired.. Linksys has a nice, easy to use web interface that provides functionality that you actually can use..

They both support PPPoE connections, so ADSL support is no problem..

Ahh, but that character interface can be a godsend for remote configurations. Not that that's probably an issue here.

Then again, I'd still advocate using a cheap Intel box running OpenBSD or something. I've never been impressed with the limited functions available in those black box (blue?) solutions.

Yeah, and Laura's already demonstrated a proficiency in using a serial cable and terminal software with a remote peripheral...

Then again, I'd still advocate using a cheap Intel box running OpenBSD or something. I've never been impressed with the limited functions available in those black box (blue?) solutions.

Plus you never know how a dedicated box will affect you until you have one. My "server" started it's life as a Windows NT file server. From there, I added a caller ID program, Distributed.net proxy. Then I decided it was silly for my roomate and I to pay for 2 more IPs (on top of the 3 we had) when we were getting laptops, so I formatted it and played with that weird OS called Linux. It started as a simple sharing box, then added a web server, Windows file sharing via samba, then mail, DNS caching, and a pop server that pulled many accounts.

Years later, it now does: Internet sharing, DHCP, DNS caching + backup for a domain, mail gathering for many accounts including some hotmail ones, IMAP mail with an awesome front end, NFS file sharing, Windows file sharing, Battle.Net server, (from time to time) a Half Life or UT server, web proxy to speed up the connection a bit, advanced PHP web serving, roaming profiles for Windows, LDAP address book, distributed.net proxy and stats, and an empeg web cam. All from hardware I have no use for otherwise. (And I'm sure I missed a few functions there). While it has taken quite a bit of time, it has been much more rewarding, as it's the sole reason I know Linux as well as I do.

I tried changing the port in config.ini this morning. I can't reach the player using the port # but I can still get to it not using it. So that solution didn't seem to work.

Eh? Not sure why. Are you sure you typed in the whole URL? Like, if khttpd_port (which must be in the [hijack] section of config.ini) is set to 8080, the URL would look like:

http://xxx.xxx.xxx.xxx:8080/

The http:// part is required... If you did all that and it's still not working, I'm stumped, because it works for me.

Check your config.ini edits and make sure that they're all in the right places based on Loren's Hijack FAQ. Also make sure your config.ini isn't oversized from having too many Favorite Visuals entries.

It works because in one other Thread, I ask for this cos I had Displayserver installed and conflictiing with Mark Hijack Webserver.

I trid just now to change the port in my config.ini and that rocks as well as port 80.

I tried with khttpd_port=81


Included screen capture with port 81 setup

(Dont tell me for bad conformity network address, cos it's my job's adress class)

I tried it again with port 81 and this time it does work. Before I tried with 90, 8080, 9090, and 4040. I'm not sure why the 81 works but I'm happy with that.

Thanks again for the help. Now I can rest a little easier.

I tried it again with port 81 and this time it does work. Before I tried with 90, 8080, 9090, and 4040. I'm not sure why the 81 works but I'm happy with that.

Heh, probably because ZoneAlarm was blocking web traffic on those other ports?

Sorry, but tried port 90 and also works.

Tony's right, probably ZoneAlarm that blocks these ports ...