Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 1 of 2 1 2 >
Topic Options
#74737 - 25/02/2002 10:50 HTTP Probe locks up Empeg
Yang
addict

Registered: 14/01/2002
Posts: 443
Loc: Raleigh, NC
Just a warning, don't leave your empeg exposed to the world on port 80. I saw several requests in the serial output for cmd.exe and other programs that were aparently exploits for IIS (big surprise). I saw a couple control characters in the path that was requested, which were incrementing, and eventually locked the empeg up.

I normally don't have anything up on port 80 as I've got cable modem service, but was showing the new XML stuff to a friend and noticed this happening. I've got a router/firewall, so I normally never notice any traffic..

Unforutnately, by the time I got a packet sniffer working, they had aparently moved on, so I couldn't get the exact request. The path requested was something like 'path\path\...<control character>...\system32\cmd.exe' or something.. sorry for not having any more details..

Top
#74738 - 25/02/2002 11:01 Re: HTTP Probe locks up Empeg [Re: Yang]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Probably overflowed a buffer or something in khttpd.

The code checks most buffer sizes, but definitely has shortcuts here and there which could be exploited (and which I'm not really going to worry about here).

Cheers

Top
#74739 - 25/02/2002 11:18 Re: HTTP Probe locks up Empeg [Re: Yang]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
If you ever run the product "Black Ice Defender" on any publicly-exposed PC, you will be AMAZED at how frequently there are attacks against IP addresses. IP exploit attacks are a constant, unyeilding barrage against anything that responds to pings that is exposed on the public internet.

For those who haven't tried Black Ice Defender, I highly recommend checking it out. It's a very cool product. It will identify anyone attempting to attack you, identify the type of attack, block the attack, and link you to a detailed description of the type of attack.
_________________________
Tony Fabris

Top
#74740 - 25/02/2002 11:20 Re: HTTP Probe locks up Empeg [Re: mlord]
crocklobster
member

Registered: 19/12/2001
Posts: 108
Thing is, those requests were probably made from some machine where the operator doesn't even know they were being made. Once a machine is infected with certain of those viri, they become zombies and look for other machines to infect. I get requests for cmd.exe on my cable modem web server all the time. It's fruitless, as I've long ago patched IIS, but they keep coming.

Chris

Top
#74741 - 25/02/2002 11:28 Re: HTTP Probe locks up Empeg [Re: crocklobster]
loren
carpal tunnel

Registered: 23/08/2000
Posts: 3826
Loc: SLC, UT, USA
My Red Hat web server (logjamming.com) gets nailed CONSTANTLY with attempted IIS exploits like what you guys are describing. Seems to be some left over code red variants that infected unknowing peoples computers and they are used as bounce points for exploit attacks. We've tracked the attacking hosts down at least 5 times to find it was some guy at a university or business who had no idea his machine was infected. Incredibly annoying.
_________________________
|| loren ||

Top
#74742 - 25/02/2002 11:29 Re: HTTP Probe locks up Empeg [Re: crocklobster]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
Right, I forgot to mention that. Most of the attacks are the result of web-aware viruses which attempt to auto-exploit known bugs in web server software. We're still seeing Nimda and Code Red attempts against our server on a constant basis. This means that each of those attacking sites is infected with the virus and the machine operator doesn't know they are infected.
_________________________
Tony Fabris

Top
#74743 - 25/02/2002 11:58 Re: HTTP Probe locks up Empeg [Re: tfabris]
SE_Sport_Driver
carpal tunnel

Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
wouldn't these infect computers be nearly cripled? All of our machines that got hit were bricks (with Nimda)
_________________________
Brad B.

Top
#74744 - 25/02/2002 12:02 Re: HTTP Probe locks up Empeg [Re: SE_Sport_Driver]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
True, the infected machines do run slow, and the network traffic is impacted by these viruses. However, if the administrators aren't paying attention to that particular machine or the network is choked to begin with, they might not notice right away.
_________________________
Tony Fabris

Top
#74745 - 25/02/2002 12:12 Re: HTTP Probe locks up Empeg [Re: tfabris]
jane
enthusiast

Registered: 10/10/2000
Posts: 350
Loc: Copenhagen SW, Denmark
I go through my web-logs every week and send emails to abuse@xxx. I also send send abuse reports every time I receive spam. (I have an automated process)

Marius (Escort Cab + Mark II)

Top
#74746 - 25/02/2002 12:16 Re: HTTP Probe locks up Empeg [Re: jane]
SE_Sport_Driver
carpal tunnel

Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
This is getting off topic JUST a touch, but have you guys seen the reports that many ISP's are blocking all incoming mail from Asian ISP's because the great percentage of it is spam... someone commented that these actions are doing a better job at denying the Chinese public access to the internet than the Chinese government did! :O
_________________________
Brad B.

Top
#74747 - 25/02/2002 12:20 Re: HTTP Probe locks up Empeg [Re: SE_Sport_Driver]
Yang
addict

Registered: 14/01/2002
Posts: 443
Loc: Raleigh, NC
someone commented that these actions are doing a better job at denying the Chinese public access to the internet than the Chinese government did!

That would be true, if the internet only consisted of email.

Top
#74748 - 25/02/2002 13:22 Re: HTTP Probe locks up Empeg [Re: tfabris]
Jazzwire
addict

Registered: 09/06/1999
Posts: 483
Loc: Guernsey
I use an old Linux box running a minimal setup and "hardened" by Bastille as a firewall. I wouldn't trust a windows box directly connected to the Internet, no matter what was running on it...

The number of port scans I get is scary (and I don't have broadband, I'm stuck on a dialup).
_________________________
Jazz (List 112, Mk2 42 gig #40. Mk1 4 gig #30. Mk3 1.6 16v)

Top
#74749 - 25/02/2002 16:01 Re: HTTP Probe locks up Empeg [Re: Yang]
Laura
pooh-bah

Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
I just posted in the technical section that mine has locked up 4 times in the last 15 minutes. Now I know why as I am getting hit with this probe. Here is my hyperterminal output.

khttpd: listening on port 80
kftpd: listening on port 21
Using non-standard cache size 126 (adjustment 8)
player.cpp : 385:empeg-car 2.00-beta11 2002/02/08.
Loading dancefile: "/empeg/lib/visuals/bevisdance.raw"
Loading dancefile: "/empeg/lib/visuals/ymcadance.raw"
Loading dancefile: "/empeg/lib/visuals/poledance.raw"
Prolux 4 empeg car - 2.1434 Feb 7 2002
Vcb: 0x407ed000
khttpd: open(/scripts/root.exe) failed, rc=-2
khttpd: open(/MSADC/root.exe) failed, rc=-2
khttpd: open(/c/winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/d/winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..%5c../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe) failed, r
c=-2
khttpd: open(/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe) failed, r
c=-2
khttpd: open(/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cm
d.exe) failed, rc=-2
khttpd: open(/scripts/..Á../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..À/../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..À¯../winnt/system32/cmd.exe) failed, rc=-2
khttpd: open(/scripts/..Áœ../winnt/system32/cmd.exe) failed, rc=-2


So how do I go about blocking this port?
_________________________
Laura

MKI #017/90

whatever

Top
#74750 - 25/02/2002 16:05 Re: HTTP Probe locks up Empeg [Re: Laura]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
As I said in the other forum, the empeg is the least of your worries. You need to seriously check the computers on this local network for infection.

I don't know if this is happening at your home or at your work. If it's at your work, you need to talk to your network administrator and tell them that there's infected machines trying to infect other machines. If it's at home, you DESPERATELY need a NAT-and-Firewall router sitting between your local LAN and the rest of the internet. I recommend the Linksys BEFSR41 or BEFSR11.
_________________________
Tony Fabris

Top
#74751 - 25/02/2002 16:08 Re: HTTP Probe locks up Empeg [Re: tfabris]
SE_Sport_Driver
carpal tunnel

Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
Tony, would something like that work for DirecPC? They always mention Cable/DSL but I assume they mean all broadband?
_________________________
Brad B.

Top
#74752 - 25/02/2002 16:12 Re: HTTP Probe locks up Empeg [Re: SE_Sport_Driver]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
Tony, would something like that work for DirecPC?

I do not know how DirecPC is set up. But if it's a standalone box that's got an ethernet port that connects to the rest of the network (as opposed to being a card in a PC), then any NAT/router/firewall box will work.
_________________________
Tony Fabris

Top
#74753 - 25/02/2002 16:37 Re: HTTP Probe locks up Empeg [Re: tfabris]
SE_Sport_Driver
carpal tunnel

Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
No... it is two modems (one for send, one for receive) connected to the computer via USB....
_________________________
Brad B.

Top
#74754 - 25/02/2002 16:44 Re: HTTP Probe locks up Empeg [Re: SE_Sport_Driver]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
If the service presents itself as a RAS dialup connection on your PC then you should be able to use one of the personal firewalls, take your pick from:

- Tiny Firewall http://www.tinysoftware.com/
- Zone Alarm http://www.zonelabs.com/
- Black Ice Defender http://www.iss.net/products_services/hsoffice_protection/
_________________________
Remind me to change my signature to something more interesting someday

Top
#74755 - 25/02/2002 17:16 Re: HTTP Probe locks up Empeg [Re: tfabris]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Pass on the Linksys -- go for NetGear instead.

Apparently at least a few ISPs have issues with the LinkSys boxes sending "short" (illegal) ethernet packets when using PPPoE connections.

Cheers

Top
#74756 - 25/02/2002 17:20 Re: HTTP Probe locks up Empeg [Re: mlord]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
Even with the latest firmware updates for the Linksys boxes? They've been pretty good about fixing those sorts of things in the BEFSR firmware updates.

I agree that the Netgear products are good too. In fact, in Laura's situation, -ANY- nat/firewall would be better than nothing.
_________________________
Tony Fabris

Top
#74757 - 25/02/2002 17:27 Re: HTTP Probe locks up Empeg [Re: mlord]
Oli
journeyman

Registered: 20/02/2002
Posts: 58
Loc: Bucks, UK.
I think that some dealers are still doing a special offer on the netgear MR314 4port "switch/NAT gateway router/802.11b wireless AP" at the moment. Perfect for in-garage-sync's.

DABS are doing it for about £160. I think that they are selling it in the US for about $180.

(if you dared leaving it in the garage)

Oli.

Top
#74758 - 25/02/2002 17:29 Re: HTTP Probe locks up Empeg [Re: Oli]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
I think that the Linksys box can be had for under $100.00... Actually I could have sworn I'd seen them for under $50.00 once...
_________________________
Tony Fabris

Top
#74759 - 25/02/2002 17:29 Re: HTTP Probe locks up Empeg [Re: Oli]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Ingram Micro lists my price at C$258 right now, which translates to about US$163 or so. Neat.

Top
#74760 - 25/02/2002 17:30 Re: HTTP Probe locks up Empeg [Re: tfabris]
SE_Sport_Driver
carpal tunnel

Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
tempting.... i need a hub, and assume a router like this would be better? hmmm
_________________________
Brad B.

Top
#74761 - 25/02/2002 17:34 Re: HTTP Probe locks up Empeg [Re: SE_Sport_Driver]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
i need a hub, and assume a router like this would be better?

Remember that these NAT devices serve a different purpose than a hub. Some of them come with an integrated hub/switch (the Linksys BEFSR41 has four 10/100mb switched ports, the BEFSR11 is a single port), but their real purpose is to protect your local network from a broadband connection while still allowing users inside the network access to the internet.

They include Network Address Translation (NAT) and a DHCP server, along with some firewall features.

But if you happen to need a 4-port hub at the same time as you need a firewall for your network, then you certainly can't go wrong with one of these products.
_________________________
Tony Fabris

Top
#74762 - 25/02/2002 18:03 Re: HTTP Probe locks up Empeg [Re: tfabris]
Laura
pooh-bah

Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
Ok, now it is getting complicated. I have a Cisco router for my ADSL and a 4 port Net Gear hub of which 3 ports are in use. If I get a Net Gear firewall will it plug into the hub then?

I knew my state income tax refund would get used up quickly.
_________________________
Laura

MKI #017/90

whatever

Top
#74763 - 25/02/2002 18:08 Re: HTTP Probe locks up Empeg [Re: Laura]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Do it the other way around.

Connect NetGear firewall directly to ADSL (cisco), and plug the "regular" hub into the NetGear firewall. Use the hub's "uplink" port for connecting to the firewall, or use any other port in combo with a cross-over cable.

Top
#74764 - 25/02/2002 18:09 Re: HTTP Probe locks up Empeg [Re: Laura]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
Interesting. A nat/firewall would replace BOTH of those things in a single box. Then you could sell those two things on Ebay.

I'm surprised that the Cisco router doesn't have NAT and firewall features available already. Maybe that's all you need to do is activate those features.
_________________________
Tony Fabris

Top
#74765 - 25/02/2002 18:10 Re: HTTP Probe locks up Empeg [Re: mlord]
Laura
pooh-bah

Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
Ok, thank you. I'll start looking at prices on one.
_________________________
Laura

MKI #017/90

whatever

Top
#74766 - 25/02/2002 18:13 Re: HTTP Probe locks up Empeg [Re: tfabris]
Laura
pooh-bah

Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
I could check into that. I believe these routers are the cheapest that Cisco has and I don't believe that the ADSL will work without it but I could be wrong.
_________________________
Laura

MKI #017/90

whatever

Top
Page 1 of 2 1 2 >