View previous topic :: View next topic |
Author |
Message |
Dr.Doom -
Joined: 23 May 2006 Posts: 19
|
Posted: Sat Aug 16, 2008 10:07 pm Post subject: Abyss console port 9999 vulnerability ? |
|
|
Hi, there:
I've been a fan of Abyss Web Server for years now and even I did setup LAMP server but I couldn't change my mind to switch because of easy interface and features. But recently I recognized my server have been instantly accessed and I did a port scan to see what is going on. It's turned out that the console port 9999 from Abyss Web Server opened and allowed brute force to attack my server also leading to another open port 9876 by (matches Rux.100 & matches SheepGoat.100). I also Google search and found others have said the same thing. Is there any way to fix this security vulnerability? Please, let me know. Thanks.
Here is the list when I did a scanned with Trojan Hunter:
Port 9999/TCP is open (matches ForcedEntry.100)
Port 9999/TCP is open (matches Infra.100)
Port 9999/TCP is open (matches Prayer.120)
Port 9999/TCP is open (matches Prayer.130)
Port 9876/TCP is open (matches Rux.100)
Port 9876/TCP is open (matches SheepGoat.100)
Port 9999/TCP is open (matches Skipper.100)
Port 9999/TCP is open (matches SpadeAce.100)
Port 9999/TCP is open (matches TakeOver.200)
Port 9999/TCP is open (matches STakeOver.300) |
|
Back to top |
|
|
Moxxnixx -
Joined: 21 Jun 2003 Posts: 1226 Location: Florida
|
Posted: Sun Aug 17, 2008 3:39 am Post subject: |
|
|
Port 9999 is used by various applications for administrative access. So, it's not unheard of for hackers to scan for it.
You can restrict it by allowing only certain IP addresses to access it. Your security is also dependent on how strong
your password is. |
|
Back to top |
|
|
Dr.Doom -
Joined: 23 May 2006 Posts: 19
|
Posted: Sat Aug 30, 2008 3:13 am Post subject: |
|
|
Yes, I know about the features of Abyss but my point is to track the logs for the console port so I can block exact IP that constantly hack. There is no such feature for me to do so. |
|
Back to top |
|
|
codemyster -
Joined: 06 Aug 2006 Posts: 13
|
Posted: Sat Aug 30, 2008 4:34 am Post subject: |
|
|
Dr.Doom wrote: | Yes, I know about the features of Abyss but my point is to track the logs for the console port so I can block exact IP that constantly hack. There is no such feature for me to do so. |
Why not just "Allow no one except..." instead of "Allow all except...". In other words, Only allow yourself. Instead of selectively blocking others, Block everyone. :D |
|
Back to top |
|
|
Dr.Doom -
Joined: 23 May 2006 Posts: 19
|
Posted: Mon Sep 01, 2008 7:40 am Post subject: |
|
|
I already did that I allow only localhost but the brute force is still coming through so I need logs to track the IP |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Mon Oct 27, 2008 4:38 pm Post subject: Re: Abyss console port 9999 vulnerability ? |
|
|
Dr.Doom,
You can change the port to another one.
If you are behind a router, unless you port forward port 9999, no one will reach the console (and by default, Abyss do not accept connections to the console from anyone outside your LAN).
If you have a firewall, configure it to reject any access to port 9999 from outside your LAN/local computer.
You can also enable antihacking in Abyss Web Server which will dynamically ban any suspect IP that attempts to brute force your server (including the console). _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
john011 -
Joined: 21 Jun 2009 Posts: 16 Location: Netherlands
|
Posted: Sun Jun 21, 2009 4:57 am Post subject: Re: Abyss console port 9999 vulnerability ? |
|
|
Quote: | Abyss do not accept connections to the console from anyone outside your LAN |
1. Isn’t also not possible that I can give someone else permission to the consol by ip address?
2. Than access to my server without that this server is even online? This also very strange because in the log file I see an Ip number standing there what is coming from CN.
3. I install this server on [20/Jun/2009:16:23:33 and the IP from CN was on 60.161.13.44 - - [20/Jun/2009:18:28:46 -0700]. Please explain this to me Howe this happens?
Thanks and regards from John |
|
Back to top |
|
|
DonQuichote -
Joined: 24 Dec 2006 Posts: 68 Location: The Netherlands
|
Posted: Mon Jun 22, 2009 10:23 pm Post subject: general question |
|
|
Just a general question: is any malformed login or failed login logged or can it be logged? That way you may find out if the remote attacker is trying to access your web server or tries to attack another program (like WEByog's MySQL monitor program). Just curious. |
|
Back to top |
|
|
john011 -
Joined: 21 Jun 2009 Posts: 16 Location: Netherlands
|
Posted: Tue Jun 23, 2009 1:40 am Post subject: Re: general question |
|
|
DonQuichote wrote: | Just a general question: is any malformed login or failed login logged or can it be logged? That way you may find out if the remote attacker is trying to access your web server or tries to attack another program (like WEByog's MySQL monitor program). Just curious. |
Well I did not install any other programs than only the Abyss server when someone try to do something. What I did found in the log file was this
Quote: | 60.161.13.44 - - [20/Jun/2009:18:28:46 -0700] "GET //user/templates/footer.tpl HTTP/1.1" 404 |
I see there standing that he was blocked
So thats the good part that Abyss directly block this IP adress to get some accces to my server on that moment. The strange part is dat the time that I install this program and direct after that that someone try to do something thats is strange.
So the time of that I go online for the first time
[20/Jun/2009:16:23:33
And the time that someone try to get in
[20/Jun/2009:18:28:46 -0700]
What I did next was directly put a .htacess file in the root with all the proxy range from that country hope that will work right to protect my server bean attack ore something else. This is a nice website to collect that kind off proxy range adresses http://blockacountry.com/ |
|
Back to top |
|
|
|