September 12th, 2001, 06:00 AM
apache logfile weirdness
I installed apache about a month ago and im getting these weird requests for the file /default.ida. It goes kinda like this:
x.x.x.x [date] "GET /default.ida?XXX[LOTS_of_'x's]XXX%u9090%u6858%ucbd3%u7801%u and then that %u... repeats sometimes with different numbers, sometimes the same. It ends with a %u=a HTTP/1.0"
I see this from many different IPs. I telneted myself and did the same thing but nothing came back. I checked out one of the guys that did this (he had like a dozen ports open), loaded his webpage and it was some 31337 dud3 who hates the government. Is this some kind of exploit that doesnt work? One more question, i port scan myself, but i cant find the logs anywhere! Is the stealth mode really good, or am i looking in the wrong place? thanks guys
September 16th, 2001, 09:08 PM
The log is from code red (1 or 2), it uses the IIS ida vulnerability to access remote machines and copy its self over. perfectly harmless to apache. The only pain is it fills the log, and that compromised computers usualy only scan the same IP ranges as
its currently using.
e.g 18.104.22.168 would scan 212.67.*.*
all the X's are the padding for the buffer overflow, and the numbers the acual code.
September 20th, 2001, 09:06 AM
Contact your ISP and e-mail them the log. If you're like me, and on Road Runner, it gets annoying when your log files are splattered with that garbage. Also, I have taken the step to net send the IPs that I get in hopes that the user will know what's going on and fix the problem.
E-Mailing the ISP with the log will help them to better track down who is still infected.
Jason Parker - http://www.o-negative.net
o-Negative: Information Network