Abyss console port 9999 vulnerability ?

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
Dr.Doom
-


Joined: 23 May 2006
Posts: 19

PostPosted: Sat Aug 16, 2008 10:07 pm    Post subject: Abyss console port 9999 vulnerability ? Reply with quote

Hi, there:

I've been a fan of Abyss Web Server for years now and even I did setup LAMP server but I couldn't change my mind to switch because of easy interface and features. But recently I recognized my server have been instantly accessed and I did a port scan to see what is going on. It's turned out that the console port 9999 from Abyss Web Server opened and allowed brute force to attack my server also leading to another open port 9876 by (matches Rux.100 & matches SheepGoat.100). I also Google search and found others have said the same thing. Is there any way to fix this security vulnerability? Please, let me know. Thanks.


Here is the list when I did a scanned with Trojan Hunter:

Port 9999/TCP is open (matches ForcedEntry.100)
Port 9999/TCP is open (matches Infra.100)
Port 9999/TCP is open (matches Prayer.120)
Port 9999/TCP is open (matches Prayer.130)
Port 9876/TCP is open (matches Rux.100)
Port 9876/TCP is open (matches SheepGoat.100)
Port 9999/TCP is open (matches Skipper.100)
Port 9999/TCP is open (matches SpadeAce.100)
Port 9999/TCP is open (matches TakeOver.200)
Port 9999/TCP is open (matches STakeOver.300)
Back to top View user's profile Send private message
Moxxnixx
-


Joined: 21 Jun 2003
Posts: 1226
Location: Florida

PostPosted: Sun Aug 17, 2008 3:39 am    Post subject: Reply with quote

Port 9999 is used by various applications for administrative access. So, it's not unheard of for hackers to scan for it.
You can restrict it by allowing only certain IP addresses to access it. Your security is also dependent on how strong
your password is.
Back to top View user's profile Send private message Visit poster's website
Dr.Doom
-


Joined: 23 May 2006
Posts: 19

PostPosted: Sat Aug 30, 2008 3:13 am    Post subject: Reply with quote

Yes, I know about the features of Abyss but my point is to track the logs for the console port so I can block exact IP that constantly hack. There is no such feature for me to do so.
Back to top View user's profile Send private message
codemyster
-


Joined: 06 Aug 2006
Posts: 13

PostPosted: Sat Aug 30, 2008 4:34 am    Post subject: Reply with quote

Dr.Doom wrote:
Yes, I know about the features of Abyss but my point is to track the logs for the console port so I can block exact IP that constantly hack. There is no such feature for me to do so.


Why not just "Allow no one except..." instead of "Allow all except...". In other words, Only allow yourself. Instead of selectively blocking others, Block everyone. :D
Back to top View user's profile Send private message
Dr.Doom
-


Joined: 23 May 2006
Posts: 19

PostPosted: Mon Sep 01, 2008 7:40 am    Post subject: Reply with quote

I already did that I allow only localhost but the brute force is still coming through so I need logs to track the IP
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Mon Oct 27, 2008 4:38 pm    Post subject: Re: Abyss console port 9999 vulnerability ? Reply with quote

Dr.Doom,

You can change the port to another one.
If you are behind a router, unless you port forward port 9999, no one will reach the console (and by default, Abyss do not accept connections to the console from anyone outside your LAN).
If you have a firewall, configure it to reject any access to port 9999 from outside your LAN/local computer.
You can also enable antihacking in Abyss Web Server which will dynamically ban any suspect IP that attempts to brute force your server (including the console).
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
john011
-


Joined: 21 Jun 2009
Posts: 16
Location: Netherlands

PostPosted: Sun Jun 21, 2009 4:57 am    Post subject: Re: Abyss console port 9999 vulnerability ? Reply with quote

Quote:
Abyss do not accept connections to the console from anyone outside your LAN


1. Isn’t also not possible that I can give someone else permission to the consol by ip address?
2. Than access to my server without that this server is even online? This also very strange because in the log file I see an Ip number standing there what is coming from CN.
3. I install this server on [20/Jun/2009:16:23:33 and the IP from CN was on 60.161.13.44 - - [20/Jun/2009:18:28:46 -0700]. Please explain this to me Howe this happens?


Thanks and regards from John
Back to top View user's profile Send private message
DonQuichote
-


Joined: 24 Dec 2006
Posts: 68
Location: The Netherlands

PostPosted: Mon Jun 22, 2009 10:23 pm    Post subject: general question Reply with quote

Just a general question: is any malformed login or failed login logged or can it be logged? That way you may find out if the remote attacker is trying to access your web server or tries to attack another program (like WEByog's MySQL monitor program). Just curious.
Back to top View user's profile Send private message
john011
-


Joined: 21 Jun 2009
Posts: 16
Location: Netherlands

PostPosted: Tue Jun 23, 2009 1:40 am    Post subject: Re: general question Reply with quote

DonQuichote wrote:
Just a general question: is any malformed login or failed login logged or can it be logged? That way you may find out if the remote attacker is trying to access your web server or tries to attack another program (like WEByog's MySQL monitor program). Just curious.


Well I did not install any other programs than only the Abyss server when someone try to do something. What I did found in the log file was this

Quote:
60.161.13.44 - - [20/Jun/2009:18:28:46 -0700] "GET //user/templates/footer.tpl HTTP/1.1" 404


I see there standing that he was blocked
Quote:

HTTP/1.1" 404


So thats the good part that Abyss directly block this IP adress to get some accces to my server on that moment. The strange part is dat the time that I install this program and direct after that that someone try to do something thats is strange.

So the time of that I go online for the first time
[20/Jun/2009:16:23:33

And the time that someone try to get in
[20/Jun/2009:18:28:46 -0700]

What I did next was directly put a .htacess file in the root with all the proxy range from that country hope that will work right to protect my server bean attack ore something else. This is a nice website to collect that kind off proxy range adresses http://blockacountry.com/
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group