Threat of running a web server?

  • Thread starter Thread starter Noyb
  • Start date Start date
N

Noyb

Does leaving port 80 open for serving web pages leave me vulnerable? A few
hours after telling BlackICE to allow port 80 traffic in I got an alarm with
this event: HTTP_Code_Red_II

Norton alerted me to the virus soon after and deleted it. Here's there
write-up on it if anyone's interested:
http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html

I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
behind a Linksys router that is forwarding port 80 to my machine. Anyone
know how this is possible that someone gave me a virus over my apache web
server? Do I have a security hole or is this threat something I have to live
with if I'm going to have a web server? Thanks for any help or suggestions.

Steve.
 
Does leaving port 80 open for serving web pages leave me vulnerable?
Click to expand...

Yep.


--
Conor

"The vast majority of Iraqis want to live in a peaceful, free world.
And we will find these people and we will bring them to justice." --
George Bush
 
Does leaving port 80 open for serving web pages leave me vulnerable? A few
hours after telling BlackICE to allow port 80 traffic in I got an alarm with
this event: HTTP_Code_Red_II

Norton alerted me to the virus soon after and deleted it. Here's there
write-up on it if anyone's interested:
http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html

I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
behind a Linksys router that is forwarding port 80 to my machine. Anyone
know how this is possible that someone gave me a virus over my apache web
server? Do I have a security hole or is this threat something I have to live
with if I'm going to have a web server? Thanks for any help or suggestions.

Steve.
Click to expand...


allowing _any_ daemon (server for you microsoft weenies) to run on _any_
port leaves you _vulnerable_. "how vulnerable" is dependant upon the
daemon/server. _all_ programs have the _potential_ to be exploited. if
you don't know what you're doing, don't run a server/daemon, even if
you're running "black ice", nothing more than a IDS anyway.... even a
personal firewall.... if you're explicitly telling the firewall/IDS to
ignore port 80 traffic, you're leaving that particular service "out
there". if you don't know what you're doing, you don't keep up on
server/daemon patching and you're not running a proper IDS and actually
watching the friggin logs, you'll get hacked... it's only a matter of
time (in some cases, a 0day exploit).



--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
Colonel Flagg wrote:
[snip]
allowing _any_ daemon (server for you microsoft weenies) to run on _any_
Click to expand...

http://en.wikipedia.org/wiki/Daemon

while i'm sure there are plenty of reasons to make fun of microsoft
weenies, it helps to get your facts straight first... a daemon's
windows counterpart is the service not the server... a server is a
server regardless of the platform... it's an architectural concept (as
in client/server), not and operating system specific one...

agree with the rest of the post though, more or less... accepting
unprompted traffic (opening up a port for a server) means a greater
risk of exposure to malicious code... if you don't know how to mitigate
the risk you should consider less risky enterprises...
 
Does leaving port 80 open for serving web pages leave me vulnerable? A
few hours after telling BlackICE to allow port 80 traffic in I got an
alarm with this event: HTTP_Code_Red_II
Click to expand...

If you have set up Blackice correctly which is ACCEPT all IP(s) on PORT 80,
enabled *Auto Blocking*, which turns on the IDS to tell the BI FW to block
stuff coming down Port 80 if detected such as HTTP_Code_Red_II, the machine
should be protected from that aspect. If you got the alert, then BI should
have blocked the attack.

I got plenty of attacks using BI on my IIS Webserver machine and nothing
came through.
Norton alerted me to the virus soon after and deleted it. Here's there
write-up on it if anyone's interested:
http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.ht
ml
Click to expand...

And how can the Code Red attack an Apache Webserver, since the attack only
affects IIS 4.0 or 5.0, according to the link above that have not been
patched?
I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
behind a Linksys router that is forwarding port 80 to my machine.
Anyone know how this is possible that someone gave me a virus over my
apache web server?
Click to expand...

If you're sitting out there without the Webserver and the XP O/S locked
down/harden and running with an Admin Account, then I don't see why you
cannot be attacked. All I can tell you is that Code Red won't come down
port 80 past BI, if BI is configured porpely.
Do I have a security hole or is this threat
something I have to live with if I'm going to have a web server?
Thanks for any help or suggestions.
Click to expand...

Too many people with a home network can hardly protect a machine period
for everyday home usage on the Internet let alone put up a Webserver. And
yet they try to do it.

I suggest you do your homework before proceeding further. And I would start
with the XP Pro Resoruce Kit book.

The buck stops at the O/S, including the router, FW, and AV.

Duane :)
 
Noyb said:
Does leaving port 80 open for serving web pages leave me vulnerable? A few
hours after telling BlackICE to allow port 80 traffic in I got an alarm with
this event: HTTP_Code_Red_II
Click to expand...

Oh yus. Make sure you are fully patched or run Apache on a stripped down
Linux Machine.
 
while i'm sure there are plenty of reasons to make fun of microsoft
weenies, it helps to get your facts straight first... a daemon's
windows counterpart is the service not the server... a server is a
server regardless of the platform... it's an architectural concept (as
in client/server), not and operating system specific one...
Click to expand...

to a n00b, what's the difference? if you're running a "service", a
"server" or a "daemon", you're providing "something" to be given out to
someone. a "server" is a machine which provides either a "service" or a
"daemon". there, fixed that... can't fix your ability to prove your
"weenie-ness" however.
agree with the rest of the post though
Click to expand...




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
On Mon, 19 Jan 2004 07:43:05 -0500, Colonel Flagg spoketh
to a n00b, what's the difference? if you're running a "service", a
"server" or a "daemon", you're providing "something" to be given out to
someone. a "server" is a machine which provides either a "service" or a
"daemon". there, fixed that... can't fix your ability to prove your
"weenie-ness" however.
Click to expand...

Why do you *always* have to make everything a pissing contest between MS
and Linux? Can't you just leave it alone?

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
 
allowing _any_ daemon (server for you microsoft weenies) to run on _any_
port leaves you _vulnerable_. "how vulnerable" is dependant upon the
daemon/server. _all_ programs have the _potential_ to be exploited.
Click to expand...

I don't run a daemon/server/service thingumybob on my machine but may
do in the future so am interested in this thread.

I appreciate that when running a server there are different levels of
service but if your service is a read only does that not make one
reasonably safe.

Geoff Lane
Welwyn Hatfield Computer Club - Hertfordshire, UK
www.whcc.co.uk - Online facilities for non locals
 
I appreciate that when running a server there are different levels of
service but if your service is a read only does that not make one
reasonably safe.
Click to expand...
Nope. There are plenty of exploits not requiring write access that use
other tricks such as buffer overflows etc.


--
Conor

"The vast majority of Iraqis want to live in a peaceful, free world.
And we will find these people and we will bring them to justice."
- George Bush
 
allowing _any_ daemon (server for you microsoft weenies) to run on _any_
port leaves you _vulnerable_. "how vulnerable" is dependant upon the
daemon/server. _all_ programs have the _potential_ to be exploited. if
you don't know what you're doing, don't run a server/daemon, even if
you're running "black ice", nothing more than a IDS anyway.... even a
personal firewall.... if you're explicitly telling the firewall/IDS to
ignore port 80 traffic, you're leaving that particular service "out
there". if you don't know what you're doing, you don't keep up on
server/daemon patching and you're not running a proper IDS and actually
watching the friggin logs, you'll get hacked... it's only a matter of
time (in some cases, a 0day exploit).



--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
Click to expand...

"BlackICE protects using the same sophisticated technology that secures
corporate networks around the world. This unique combination of firewall,
fast, unobtrusive intrusion protection and straightforward interface
protects the privacy of any home or office server."

Sounds like a firewall, and it's always seemed to protect me. If you'd like
to suggest some other solutions and not just "microsoft weenie" cut-downs
I'd like to hear them.
 
Does leaving port 80 open for serving web pages leave me vulnerable?

Depends on what you've got running on that port. The basic tenets of
security include the Principle of Least Privilege. As it applies to
your question, this means run only those services that you must, and
secure as much as possible those that you do run.

For example, you can run a minimal web server using netcat:

c:\>nc -vv -L -d -p 80 < default.html

Whenever someone connects to your "server", the text in default.html
will be sent back to them.

If you're running IIS, you want to make sure that you patch it, set
ACLs, and remove any unnecessary script mappings.

However, configuration control and management is NOT unique to
Microsoft products...even servers like Apache need someone to monitor
them.
I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
behind a Linksys router that is forwarding port 80 to my machine.
Click to expand...

Well, a couple of quick seconds of Googling, or just going to the
Symantec site, will show you that you're not vulnerable to CR.
Anyone
know how this is possible that someone gave me a virus over my apache web
server? Do I have a security hole or is this threat something I have to live
with if I'm going to have a web server?
Click to expand...

Yes, it is...if all you're going to do is run it. However, if you're
going to "manage" and "administer" it, that's a different story
entirely.
 
"BlackICE protects using the same sophisticated technology that
secures corporate networks around the world. This unique combination
of firewall, fast, unobtrusive intrusion protection and
straightforward interface protects the privacy of any home or office
server."
Click to expand...

This is true. But BlackIce cannot protect on outbound connections. It
does protect on an unsolicited outbound connection from the machine and
will block it. And BI will block an application from outbound connections
by exe, dll, ocx or any program file type you place into the Checksum.fle
for monitoring. And BI has good logging of these events if you're using
VisualIce (free use Google) and BI logging is enabled.

But BlackIce cannot stop outbound connections to IP(s), port(s), protocol
(s), DNS(s) etc and that's where IPsec comes into play on the Win2k, XP
and Win 2K3 O/S(s) that can do that.
Sounds like a firewall, and it's always seemed to protect me. If you'd
like to suggest some other solutions and not just "microsoft weenie"
cut-downs I'd like to hear them.
Click to expand...

BlackIce does have a FW component that I have used from day one I started
using the product. And BI as stopped a couple of attacks that came right
through that NAT router, when no ports were being forwaded to a machine.

I too get tired of watching people bitch and cry about the MS NT based
O/S which can be configured to be secure or BlackIce as well which can be
used effectively if configured properly.

Duane :)
 
This is true. But BlackIce cannot protect on outbound connections. It
does protect on an unsolicited outbound connection from the machine and
will block it. And BI will block an application from outbound connections
by exe, dll, ocx or any program file type you place into the Checksum.fle
for monitoring. And BI has good logging of these events if you're using
VisualIce (free use Google) and BI logging is enabled.

But BlackIce cannot stop outbound connections to IP(s), port(s), protocol
(s), DNS(s) etc and that's where IPsec comes into play on the Win2k, XP
and Win 2K3 O/S(s) that can do that.


BlackIce does have a FW component that I have used from day one I started
using the product. And BI as stopped a couple of attacks that came right
through that NAT router, when no ports were being forwaded to a machine.

I too get tired of watching people bitch and cry about the MS NT based
O/S which can be configured to be secure or BlackIce as well which can be
used effectively if configured properly.

Duane :)
Click to expand...

Thanks Duane! Once again you've been very helpful to less experienced users
like myself.
Steve.
 
Conor said:
Nope. There are plenty of exploits not requiring write access that use
other tricks such as buffer overflows etc.
Click to expand...

Thanks Conor, actually the event just before the HTTP_Code_Red was
HTTP_repeated_character, so it sounds like what you're suggesting.
 
Noyb said:
Does leaving port 80 open for serving web pages leave me vulnerable? A few
hours after telling BlackICE to allow port 80 traffic in I got an alarm with
this event: HTTP_Code_Red_II

Norton alerted me to the virus soon after and deleted it. Here's there
write-up on it if anyone's interested:
http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html

I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
behind a Linksys router that is forwarding port 80 to my machine. Anyone
know how this is possible that someone gave me a virus over my apache web
server? Do I have a security hole or is this threat something I have to live
with if I'm going to have a web server? Thanks for any help or suggestions.

Steve.


Apache has a reasonable security record - it's what I use myself. The
Click to expand...
majority of intrusions via webservers occur via scripts (CGI and so on). If
you are careful about use of scripts, your risk is much lessened. DN
 
On Mon, 19 Jan 2004 07:43:05 -0500, Colonel Flagg spoketh


Why do you *always* have to make everything a pissing contest between MS
and Linux? Can't you just leave it alone?

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Click to expand...


I didn't. all I said was something to the effect of "microsoft weenies",
someone else took that to _mean_ something.... all I meant was
"microsoft weenies"... read into it and reply to it, anyway you want
to... I don't give a ****... as a matter of fact... why the hell am I
even responding to you? because I don't give a ****..


--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
"BlackICE protects using the same sophisticated technology that secures
corporate networks around the world. This unique combination of firewall,
fast, unobtrusive intrusion protection and straightforward interface
protects the privacy of any home or office server."

Sounds like a firewall, and it's always seemed to protect me. If you'd like
to suggest some other solutions and not just "microsoft weenie" cut-downs
I'd like to hear them.
Click to expand...


when I am using this piece of shit junk machine, I like tiny personal
firewall... otherwise, I use a real ipf/ipnat/ipfw firewall on a freebsd
box.

see there, nothing at all said about microsoft.

--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
On Mon, 19 Jan 2004 18:14:20 -0500, Colonel Flagg spoketh
I didn't. all I said was something to the effect of "microsoft weenies",
someone else took that to _mean_ something.... all I meant was
"microsoft weenies"... read into it and reply to it, anyway you want
to... I don't give a ****... as a matter of fact... why the hell am I
even responding to you? because I don't give a ****..
Click to expand...

whatever ... buh-bye.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
 
Back
Top