Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 3:33 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 
Author Message
PostPosted: Fri Mar 21, 2014 1:45 pm 
Offline
Newbie

Joined: Mon Dec 10, 2012 12:09 pm
Posts: 10
Hi guys,

Hoping for some input on this from others running version 1.0.3 on Windows 7.

Only loaded the machine a month ago and installed the Windows installer for OpenAudit 1.0.3

Have discovered what appears to be a DoS on the machine. Huge amount of UDP traffic flooding outbound from the machine. Traced it back to thousands of httpd.exe processes opening and closing. Prior to finding this we scanned the machine for viruses and malware but it did not seem ti be the cause, which makes sense once I found httpd.exe being the source. The destination of this UDP traffic appears to be a new IP each time I close it down.

I have closed port 80 to the machine for now and restarted Apache which has stopped the traffic. I am waiting to see if this restarts on it own with HTTP closed to the web, or if something remote is triggering it.

Looking at Apache I see the version installed is 2.2.14 along with PHP 5.3.1 - both which seem to be extremely old builds so I am assuming there is an exploit here and I need to update at minimum Apache, perhaps PHP as well.

Any issues in doing this with Open-Audit, and if not, whats the best procedure? I was a bit concerned to find such old builds in the latest installer.

Thanks.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 21, 2014 4:40 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Old XAMPPLite is because they broke SNMP on newer versions.
I need to check it (again) against the latest version of XAMPPLite and see if they have fixed it.

Are you running a Windows 7 machine (running Open-AudIT) that is visible from the internet?
If so, please update to 1.2.1 as this has an issue with Apache proxy that has been addressed.

If you don't absolutely require Open-AudIT to be visible from the internet, I can't recommend enough to NOT expose it.
If you really do need Open-AudIT visible from the internet, I would suggest some consulting service from me/[url=https://opmantek.com]Opmantek[/url] as to how to do this securely.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Sat Mar 22, 2014 6:18 am 
Offline
Newbie

Joined: Mon Dec 10, 2012 12:09 pm
Posts: 10
Hey mate, thanks for the response.

I actually don't need snmp, so I can probably upgrade everything right up.

The only scans I do are from external organizations that deliver over the net. Have ran it this way for a year or so on a Linux server and been fine, but only recently moved to a windows 7 machine hen I installed the new build.

Should I move back to a Linux host? Or are you suggesting its the openaudit that shouldn't be open to the net.

Thanks.


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 25, 2014 3:14 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
I would move to Linux - but that's just me. It shouldn't matter either way, as long as you are running v1.2.1.

I would be careful about exposing Open-AudIT to the internet at large. If it was me, I would have the system_add page exposed on a separate web server and have the rest of the application sitting on another server that is not exposed. How to actually do that I'll leave to you or you can engage Opmantek for some consulting hours - that's what we're here for :-)

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group