Abyss console port 9999 vulnerability ?

Dr.Doom

Hi, there:
I've been a fan of Abyss Web Server for years now and even I did setup LAMP server but I couldn't change my mind to switch because of easy interface and features. But recently I recognized my server have been instantly accessed and I did a port scan to see what is going on. It's turned out that the console port 9999 from Abyss Web Server opened and allowed brute force to attack my server also leading to another open port 9876 by (matches Rux.100 & matches SheepGoat.100). I also Google search and found others have said the same thing. Is there any way to fix this security vulnerability? Please, let me know. Thanks.
Here is the list when I did a scanned with Trojan Hunter:
Port 9999/TCP is open (matches ForcedEntry.100)
Port 9999/TCP is open (matches Infra.100)
Port 9999/TCP is open (matches Prayer.120)
Port 9999/TCP is open (matches Prayer.130)
Port 9876/TCP is open (matches Rux.100)
Port 9876/TCP is open (matches SheepGoat.100)
Port 9999/TCP is open (matches Skipper.100)
Port 9999/TCP is open (matches SpadeAce.100)
Port 9999/TCP is open (matches TakeOver.200)
Port 9999/TCP is open (matches STakeOver.300)

Moxxnixx

Port 9999 is used by various applications for administrative access. So, it's not unheard of for hackers to scan for it.
You can restrict it by allowing only certain IP addresses to access it. Your security is also dependent on how strong
your password is.

Dr.Doom

Yes, I know about the features of Abyss but my point is to track the logs for the console port so I can block exact IP that constantly hack. There is no such feature for me to do so.

codemyster

Dr.Doom wrote
Yes, I know about the features of Abyss but my point is to track the logs for the console port so I can block exact IP that constantly hack. There is no such feature for me to do so.

Why not just "Allow no one except..." instead of "Allow all except...". In other words, Only allow yourself. Instead of selectively blocking others, Block everyone. :D

Dr.Doom

I already did that I allow only localhost but the brute force is still coming through so I need logs to track the IP

aprelium

Dr.Doom,
You can change the port to another one.
If you are behind a router, unless you port forward port 9999, no one will reach the console (and by default, Abyss do not accept connections to the console from anyone outside your LAN).
If you have a firewall, configure it to reject any access to port 9999 from outside your LAN/local computer.
You can also enable antihacking in Abyss Web Server which will dynamically ban any suspect IP that attempts to brute force your server (including the console).

john011

Abyss do not accept connections to the console from anyone outside your LAN

1. Isn’t also not possible that I can give someone else permission to the consol by ip address?
2. Than access to my server without that this server is even online? This also very strange because in the log file I see an Ip number standing there what is coming from CN.
3. I install this server on [20/Jun/2009:16:23:33 and the IP from CN was on 60.161.13.44 - - [20/Jun/2009:18:28:46 -0700]. Please explain this to me Howe this happens?
Thanks and regards from John

DonQuichote

Just a general question: is any malformed login or failed login logged or can it be logged? That way you may find out if the remote attacker is trying to access your web server or tries to attack another program (like WEByog's MySQL monitor program). Just curious.

john011

DonQuichote wrote
Just a general question: is any malformed login or failed login logged or can it be logged? That way you may find out if the remote attacker is trying to access your web server or tries to attack another program (like WEByog's MySQL monitor program). Just curious.

Well I did not install any other programs than only the Abyss server when someone try to do something. What I did found in the log file was this

60.161.13.44 - - [20/Jun/2009:18:28:46 -0700] "GET //user/templates/footer.tpl HTTP/1.1" 404

I see there standing that he was blocked

HTTP/1.1" 404

So thats the good part that Abyss directly block this IP adress to get some accces to my server on that moment. The strange part is dat the time that I install this program and direct after that that someone try to do something thats is strange.
So the time of that I go online for the first time
[20/Jun/2009:16:23:33
And the time that someone try to get in
[20/Jun/2009:18:28:46 -0700]
What I did next was directly put a .htacess file in the root with all the proxy range from that country hope that will work right to protect my server bean attack ore something else. This is a nice website to collect that kind off proxy range adresses http://blockacountry.com/