| Remote access |  Search
|
|
NowSMS Support Forums ⬆ NowSMS Support - MMS & Advanced Issues ⬆ Archive through June 06, 2005 ⬆ |
◄ ► |
| Author | Message | |||
| David Chin Unregistered guest |
Hi Bryce, This morning i had a pop-up window from my firewall which showed that a remote address was trying to access to mmsc.exe I have made a copy of the information and would like to email it to you to verify if this is an unauthorised access (hacking) into my nowsms server? Could you give me an email address that I can send this doc to? thanks br david | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 4474 Registered: 10-2002 |
Hi David, You can send it to nowsms@now.co.uk. Please put "Attention: Bryce" in the subject line, and remind me what and why you're sending me the info. I suspect it is nothing to worry about ... let me explain. Basically, there are robots running on the internet that are constantly scanning for web servers (as well as for open access proxy servers and open relay SMTP servers). As soon as they find a server that they connect to, they start sending commands to it. These commands are basically scripted to attempt to exploit known weaknesses in popular web server products, especially older versions of Microsoft IIS. It is not uncommon, when you start up a new web service, that within 15 to 30 minutes, you see strange requests being received. These are attacks that are trying to target known weaknesses in different web servers. Usually, these attacks exploit "buffer overrun" problems in the server software. And as such, they are very specific to targeting specific server software, and specific versions of server software (again, mostly targetting specific IIS versions). Basically, these viruses just keep scanning the net, sending out requests to every web server, and hoping to find one that they can infect. But these requests aren't a problem if you are running other types of server software. So if NowSMS receives one of those problem requests, it will respond back with a generic error (page not found, or internal server error). But you won't receive an infection. The only way that you would have a problem is if someone designed an attack that specifically targeted NowSMS servers. They would have to find a vulnerability in NowSMS, and target it. Generally speaking, as we understand the underlying cause of "buffer overrun" exploits, we're fairly confident that we don't have this type of vulnerability. However, we can't guarantee that someone won't find a vulnerability that we missed some day. The good news is that the install base of NowSMS is extremely small relative to the install base of general purpose web servers, so it is not an attractive target. And, because we have so many different versions and releases of NowSMS, this would also complicate any attempts to exploit a vulnerability. If it still concerns you, you'll see less of these scanning attacks if you use non-standard ports ... e.g., ports other than 80 (and 8080). -bn | |||
| david Unregistered guest |
Hi Bryce, Thanks for the detailed explanation. It is very rare to receive the kind of support that you are extending here  . Anyway, I will be emailing you that log file. Could you give it some of your time and let me have your thoughts? thanks best regards david | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 4502 Registered: 10-2002 |
Hi David, I sent you an e-mail reply, but since I addressed another point in that reply, I wanted to share it here as well. Port 8080 (which we use as the default port for the MMSC because a few operators that block ports other than 80 do leave 8080 open) is frequently used for deploying proxy servers. When you are running on HTTP port 8080, you'll most often see that one of these robots sends a request that references an external web site (e.g., GET http://someserver/path/file.ext HTTP/1.0). This is because port 8080 is very frequently used by HTTP proxy servers. This is a test by the robot to see if you are running a proxy server that is externally open. They search for these types of proxy servers so that they can route malicious requests through them and mask their identity. Such a request won't do anything to NowSMS. It will just return a "page not found" error. Receiving one of these requests is not a cause for alarm. Every server on the internet receives these types of requests from robots that are constantly scanning and trying to do malicious things. But they are either looking for web servers with a specific known vulnerability (like I described in the previous message), or they are looking for an open proxy server. But the requests are harmless when they go to a server that doesn't have the vulnerability, or is not an open proxy server. These robots are just trying to find vulnerable servers. As I look at my own test server, running on port 8080, I can see that I just had one of these robots trying my server as a proxy server earlier this afternoon ... (this is from the MMSCDEBUG.LOG) ... 14:14:32:566 [13] ThreadProcessConnection: Processing connection from 218.150.108.188... 14:14:34:619 [13] ThreadProcessConnection: Packet Length is 167 bytes 14:14:34:619 [13] ThreadProcessConnection: 47 45 54 20 68 74 74 70 3A 2F 2F 32 31 38 2E 31 GET http://218.1 14:14:34:619 [13] ThreadProcessConnection: 35 30 2E 31 31 30 2E 31 32 32 2F 69 6E 64 65 78 50.110.122/index 14:14:34:619 [13] ThreadProcessConnection: 2E 68 74 6D 20 48 54 54 50 2F 31 2E 30 0D 0A 41 .htm HTTP/1.0 A 14:14:34:619 [13] ThreadProcessConnection: 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65 72 ccept: */* User 14:14:34:619 [13] ThreadProcessConnection: 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent: Mozilla/ 14:14:34:619 [13] ThreadProcessConnection: 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 4.0 (compatible; 14:14:34:619 [13] ThreadProcessConnection: 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F MSIE 6.0; Windo 14:14:34:619 [13] ThreadProcessConnection: 77 73 20 4E 54 20 35 2E 31 29 0D 0A 48 6F 73 74 ws NT 5.1) Host 14:14:34:619 [13] ThreadProcessConnection: 3A 20 32 31 38 2E 31 35 30 2E 31 31 30 2E 31 32 : 218.150.110.12 14:14:34:619 [13] ThreadProcessConnection: 32 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 61 2 Pragma: no-ca 14:14:34:619 [13] ThreadProcessConnection: 63 68 65 0D 0A 0D 0A che 14:14:34:639 [13] ThreadProcessConnection: HTTP/1.0 404 Not Found Content-Length: 0 Connection: close 14:14:34:639 [13] ThreadProcessConnection: Processing Complete Basically, it shows you that this robot is scanning for open proxy servers. And we return a generic "Not Found" error that doesn't return any other identifying information about the type of server that is running. It's a ridiculous nuisance, but it's basically just part of being a server accessible on the internet. -bn | |||
