View previous topic :: View next topic |
Author |
Message |
qnx l33t
Joined: 25 Jun 2002 Posts: 638 Location: Göteborg, Sweden
|
Posted: Fri Nov 29, 2002 9:52 pm Post subject: Strange logs in Apache |
|
|
Hi! I have something like this in my access_log (Apache) Code: | 213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 313 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 313 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 329 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-" |
(It's just about 1% of my whole log....)
Now, I wonder if there is someone trying to crack me or it's just a IIS bug like Nmidia or something like that...
Any ideas?? Shall I care about this??? _________________ Registred Linux user #191143!
Abit NF7-S rev. 2.00 (BIOS v. 2.7)
AMD AthlonXP 2500+ (Barton)
PATA Seagate ST3120022A
SATA Seagate ST3200822AS & Silicon Image 3112 chipset
Gentoo Linux |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Fri Nov 29, 2002 9:57 pm Post subject: |
|
|
It looks like an IIS worm to me. You could try sending mail to abuse@telia.com - maybe they would be able to trace it. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
darktux Veteran
Joined: 16 Nov 2002 Posts: 1086 Location: Coimbra, Portugal
|
Posted: Fri Nov 29, 2002 10:04 pm Post subject: |
|
|
qnx:
Don't worry about it, we all have to live with that DAMN Microsoft |
|
Back to top |
|
|
qnx l33t
Joined: 25 Jun 2002 Posts: 638 Location: Göteborg, Sweden
|
Posted: Fri Nov 29, 2002 10:06 pm Post subject: |
|
|
Thanks, I just send my e-mail. Just just wonder where did you got that adress from?? _________________ Registred Linux user #191143!
Abit NF7-S rev. 2.00 (BIOS v. 2.7)
AMD AthlonXP 2500+ (Barton)
PATA Seagate ST3120022A
SATA Seagate ST3200822AS & Silicon Image 3112 chipset
Gentoo Linux |
|
Back to top |
|
|
bosje Tux's lil' helper
Joined: 01 Nov 2002 Posts: 75 Location: Utrecht
|
Posted: Fri Nov 29, 2002 10:07 pm Post subject: Re: Strange logs in Apache |
|
|
Hi,
I had something quite similar. 2-3 times per hour my server was being probe by various servers infected with the Nimda virus. As long as you run apache you seem to be safe.
Mike
qnx wrote: | Hi! I have something like this in my access_log (Apache) Code: | 213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 313 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 313 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 329 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-"
213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-" |
(It's just about 1% of my whole log....)
Now, I wonder if there is someone trying to crack me or it's just a IIS bug like Nmidia or something like that...
Any ideas?? Shall I care about this??? |
|
|
Back to top |
|
|
qnx l33t
Joined: 25 Jun 2002 Posts: 638 Location: Göteborg, Sweden
|
Posted: Fri Nov 29, 2002 10:09 pm Post subject: |
|
|
darktux wrote: | qnx:
Don't worry about it, we all have to live with that DAMN Microsoft |
Well thanks, you can be sure that I'm not worried about it, I know that I'm unreachable for IIS worms in my safe Gentoo box =)
It's just that I installed apache+mysql+php for first time in my life and I'm a little bit suprised about thouse HUGE logs I get....Never expected so many visitors =) _________________ Registred Linux user #191143!
Abit NF7-S rev. 2.00 (BIOS v. 2.7)
AMD AthlonXP 2500+ (Barton)
PATA Seagate ST3120022A
SATA Seagate ST3200822AS & Silicon Image 3112 chipset
Gentoo Linux |
|
Back to top |
|
|
qnx l33t
Joined: 25 Jun 2002 Posts: 638 Location: Göteborg, Sweden
|
Posted: Fri Nov 29, 2002 10:12 pm Post subject: Re: Strange logs in Apache |
|
|
bosje wrote: | Hi,
I had something quite similar. 2-3 times per hour my server was being probe by various servers infected with the Nimda virus. As long as you run apache you seem to be safe.
Mike
|
When did you have it?? Today?? Can it be a new worm?? ohhh it would be sooooo funny if all IIS servers got infected once again by a nmida (can't spell it, argh!) based worm _________________ Registred Linux user #191143!
Abit NF7-S rev. 2.00 (BIOS v. 2.7)
AMD AthlonXP 2500+ (Barton)
PATA Seagate ST3120022A
SATA Seagate ST3200822AS & Silicon Image 3112 chipset
Gentoo Linux |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Fri Nov 29, 2002 10:13 pm Post subject: |
|
|
qnx wrote: | Just wonder where did you got that adress from?? |
It's a guess. I hope it works. Many ISPs have abuse@ addresses for reporting spamming, virus spreading, harrassment and other such anti-social activity. If abuse@ doesn't work, postmaster@ is theoretically required to be deliverable at any domain. As to how I chose telia, I ran "dig -x" on the IP address you listed in your log, and it came back with: Code: | 231.252.64.213.in-addr.arpa. 86383 IN PTR h231n2fls31o920.telia.com. |
_________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
qnx l33t
Joined: 25 Jun 2002 Posts: 638 Location: Göteborg, Sweden
|
Posted: Fri Nov 29, 2002 10:32 pm Post subject: |
|
|
Hmm...I don't have any "dig" ....Neither installed nor in emerge........It starts to sound stupid, but: where did you get it? _________________ Registred Linux user #191143!
Abit NF7-S rev. 2.00 (BIOS v. 2.7)
AMD AthlonXP 2500+ (Barton)
PATA Seagate ST3120022A
SATA Seagate ST3200822AS & Silicon Image 3112 chipset
Gentoo Linux |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Fri Nov 29, 2002 10:58 pm Post subject: |
|
|
net-dns/bind-tools _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
darktux Veteran
Joined: 16 Nov 2002 Posts: 1086 Location: Coimbra, Portugal
|
Posted: Fri Nov 29, 2002 11:51 pm Post subject: |
|
|
You can also use whois, just....
_________________ Lego my ego, and I'll lego your knowledge
www.tuxslare.org - My reborn website |
|
Back to top |
|
|
xpunkrockryanx Tux's lil' helper
Joined: 22 Sep 2002 Posts: 87 Location: College Place, WA, USA
|
Posted: Sat Nov 30, 2002 12:17 am Post subject: |
|
|
while it is common to get the "cmd.exe?"... requests on your web logs (result of code red/nimda activity), i dont think it's normal to be getting that many in a row from one single ip address (or at least i haven't seen it). while you're not going to be vulnerable to the types of attacks/probes you're seeing in that apache log, it might be a good idea to check your other logs for activity from the same ip. it might be that someone there is maliciously attempting to gain access to your system, so i'd say it's worth checking.
just my two cents anyway...
-ryan |
|
Back to top |
|
|
darktux Veteran
Joined: 16 Nov 2002 Posts: 1086 Location: Coimbra, Portugal
|
Posted: Sat Nov 30, 2002 12:20 am Post subject: |
|
|
If that 1% referes to the same ip, then I'd care, if it's not... Just forget about it.... _________________ Lego my ego, and I'll lego your knowledge
www.tuxslare.org - My reborn website |
|
Back to top |
|
|
qnx l33t
Joined: 25 Jun 2002 Posts: 638 Location: Göteborg, Sweden
|
Posted: Sat Nov 30, 2002 9:48 am Post subject: |
|
|
Acctually I found something in Samba's access_log. But since Samba is not working for me (I can't log-in from another computer, even if I enter root and my root password), I don't think that that person could do anything =) . Anyway, it wasn't the same IP, so those ones in Apache's access_log are just worms, I guess.
But thanks for pointing this out! _________________ Registred Linux user #191143!
Abit NF7-S rev. 2.00 (BIOS v. 2.7)
AMD AthlonXP 2500+ (Barton)
PATA Seagate ST3120022A
SATA Seagate ST3200822AS & Silicon Image 3112 chipset
Gentoo Linux |
|
Back to top |
|
|
petu Apprentice
Joined: 01 Sep 2002 Posts: 269 Location: Turku, Finland
|
Posted: Sun Dec 01, 2002 8:59 am Post subject: |
|
|
qnx wrote: | Acctually I found something in Samba's access_log. But since Samba is not working for me (I can't log-in from another computer, even if I enter root and my root password), I don't think that that person could do anything =) . Anyway, it wasn't the same IP, so those ones in Apache's access_log are just worms, I guess.
But thanks for pointing this out! |
Are you offering samba to the bad internet? IMHO samba is a great service for trusted networks(behind firewalls) but one shouldn't offer it to global internet. Or if one offers it should be secured with ssh-tunnel or some other kind of vpn solution. Samba doesn't read user names and passwords from system files. If you want samba to working you need to use Code: | smbpasswd -a ${username} | to add a user where ${username} is a valid username but no shell account is required.
But please do NOT offer samba service to internet!! |
|
Back to top |
|
|
qnx l33t
Joined: 25 Jun 2002 Posts: 638 Location: Göteborg, Sweden
|
Posted: Sun Dec 01, 2002 11:42 am Post subject: |
|
|
petu wrote: | But please do NOT offer samba service to internet!! |
Hmm....ok. Something like
Code: |
hosts deny = ALL
hosts allow = 192.168.0.
|
in my smb.conf should make it I guess??? Blocks everything except everything under 192.168.0.x, does it?? _________________ Registred Linux user #191143!
Abit NF7-S rev. 2.00 (BIOS v. 2.7)
AMD AthlonXP 2500+ (Barton)
PATA Seagate ST3120022A
SATA Seagate ST3200822AS & Silicon Image 3112 chipset
Gentoo Linux |
|
Back to top |
|
|
petu Apprentice
Joined: 01 Sep 2002 Posts: 269 Location: Turku, Finland
|
Posted: Thu Dec 05, 2002 5:31 pm Post subject: |
|
|
qnx wrote: |
hosts deny = ALL
hosts allow = 192.168.0.
[/code]
in my smb.conf should make it I guess??? Blocks everything except everything under 192.168.0.x, does it?? |
Yes it blocks everything expect 192.168.0.0/255.255.255.0 network. |
|
Back to top |
|
|
simulacrum Tux's lil' helper
Joined: 30 Nov 2002 Posts: 128 Location: St Paul, MN
|
Posted: Fri Dec 06, 2002 12:40 am Post subject: FYI |
|
|
I've run a webserver for quite a while and am quite familiar with the logs above. They're Code Red II scans. Occassionally you'll see one end in a ton of N's, which are Code Red I scans. Annoying, but there's little you can do, so many people are unwittingly infected to this day, when Code Red hit over a year ago. |
|
Back to top |
|
|
Exci Apprentice
Joined: 12 Jul 2002 Posts: 265 Location: The Netherlands, Zoetermeer
|
Posted: Fri Dec 06, 2002 12:18 pm Post subject: |
|
|
sorry some stupid idiot in my class posted that....
but wasn't there a iptables way to block it?
something with 'string' |
|
Back to top |
|
|
qnx l33t
Joined: 25 Jun 2002 Posts: 638 Location: Göteborg, Sweden
|
Posted: Sat Dec 07, 2002 11:32 am Post subject: |
|
|
Exci wrote: | sorry some stupid idiot in my class posted that....
but wasn't there a iptables way to block it?
something with 'string' |
That's right, there should be some way to block it using iptables and filtring HTTP_GET or something but since these requests still do no harm, I don't think that there's any need of doing this. _________________ Registred Linux user #191143!
Abit NF7-S rev. 2.00 (BIOS v. 2.7)
AMD AthlonXP 2500+ (Barton)
PATA Seagate ST3120022A
SATA Seagate ST3200822AS & Silicon Image 3112 chipset
Gentoo Linux |
|
Back to top |
|
|
axxackall l33t
Joined: 06 Nov 2002 Posts: 651 Location: Toronto, Ontario, 3rd Rock From Sun
|
Posted: Tue Feb 04, 2003 1:58 am Post subject: |
|
|
Has anyone tried to redirect bad requests using something like:
Code: | <Location /scripts>
Deny from all
ErrorDocument 403 http://127.0.0.1/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx%201
</Location> |
Just found on slashdot, it promises to reboot the infected source of that worm. |
|
Back to top |
|
|
prolific Apprentice
Joined: 19 Apr 2002 Posts: 237
|
Posted: Tue Feb 04, 2003 5:44 am Post subject: |
|
|
hmm..
this is probably a person who is deliberetely using a scanning utility to find vulnerable IIS servers, so that he can use the Transvesal Vulnerability to setup an FTP Account on that server.. You have nothing to worry about, only Windows admins who are 2 stupid to patch their IIS have 2 worry about this. |
|
Back to top |
|
|
MasterRa n00b
Joined: 13 Dec 2002 Posts: 21 Location: Little Rock, AR USA
|
Posted: Tue Feb 04, 2003 3:16 pm Post subject: |
|
|
I noticed the same thing in my logs the other day. There was a lot of it, too.. from several different ip's, but most of them were on my same ISP.. I did some port scans on the first ip i noticed, and sure enough it was a windows 2000 server system. I looked around and found that it's probly the Code Red worm, as you guys mentioned before. I also noticed that it seems to lower all security settings on the system. That is, from a windows box i could do start->run type in \\the.ip, and i had access to the entire system. (ie, \\the.ip\c$, full read/write access)
Kind of odd.
I tried to warn the guy, but never got a response..
Oh well. |
|
Back to top |
|
|
green sun Guru
Joined: 04 Nov 2002 Posts: 325 Location: Wista, MA
|
Posted: Wed Feb 05, 2003 4:00 am Post subject: |
|
|
I see a ton of this stuff.. just on my ISP's network (business). Its amazing how many machines are infected with Code Red I/II/Nimda to this date...
If you are getting a ton of scans and are on a slow connection, then they are eating up some bandwidth on your machine.. I remember reading an article on setting up apache to return a response to these scans that made it stop scanning & wasting BW (esp if you serve out custom 404 error pages... think about it, if you have a 30k 404 page, you are chugging it out there every time one of those requests fails...)
Of course now that I take a second to look for it, I can't find a link to the article.. grr.... |
|
Back to top |
|
|
ryan83vt Guru
Joined: 28 Oct 2002 Posts: 370 Location: Blacksburg, VA
|
Posted: Wed Feb 05, 2003 6:48 am Post subject: |
|
|
http://www.psacake.com/web/eg.asp is pretty useful - Reverse IP lookup w/ lots of info like contact information for that domain, without installing a program. |
|
Back to top |
|
|
|