Web Site Attack?

**stflook** · November 12th, 2001, 04:56 AM

I just saw something very interesting in my Apache access log. It was about 50-100 pages of this:

â€šâ€šâ€šâ€šâ€šâ€šÆ’Æ’Æ’â€žâ€žâ€žâ€šâ€šâ€šâ‚¬â‚¬â‚¬â‚¬â‚¬â‚¬ÂÂÂÂÂÂâ€šâ€šâ€šÆ’Æ’Æ’ÂÂÂÂÂÂâ‚¬â‚¬â‚¬~~~}}}{{{|||}}}}}}|||{{{|||{{{yyyyyyyyyyyyyyyzzz{{{|||}}}|||{{{{{{zzzzzzyyywwwuuuvvvxxxwwwwwwvvvtttssssssqqqmmmlllnnnqqqoooppprrrpppnnnnnnpppmmmllllllnnnppprrrqqqoooooollliiieeedddbbb`````````^^^^^^VVVWWWYYY]]]ZZZWWWYYYZZZ[[[^^^cccdddbbb___^^^```cccaaaeeehhhgggbbbccceee]]]ccccccccc```^^^___GGG%%%

$$$"""(((BBBeeeyyyâ€*â€*â€*Å’Å’Å’â€¹â€¹â€¹â€¹â€¹â€¹Å½Å½Å½Å½Å½Å½Å’Å’Å’ÂÂÂÅ½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½Å½iiiOOO OOORRRWWW!!! JJJ OOORRRWWW!!! JJJ OOORRRWWW!!! JJJ OOORRRWWW!!! JJJ OOORRRWWW!!! JJJ <<<â€¢â€¢â€¢â€*â€*â€*â€°â€°â€°â€¹â€¹â€¹___$$$ZZZ???***@@@TTT{{{Å*Å*Å*â€*â€*â€*|||BBBWWWÅ*Å*Å*Å*Å*Å*â€šâ€šâ€š===

***---###%%%

......666@@@uuuâ€¹â€¹â€¹â€¡â€¡â€¡Ë†Ë†Ë†â€°â€°â€°GGG;;;aaaiiiNNN===&&&'''OOO<<<

I would like to know what this is, and if it is indeed an attack and not just the software going nuts, what the hell were they trying to do? The only thing I can think of is some lamer script kiddie flood attack. I looked at my site, and it appears unharmed. I have no addresses or anything linking this to any person. That's one reason I suspect this may just be the software.

**freeOn** · November 12th, 2001, 08:14 AM

Have you ever seen an encrypted back door ?
It sort of looks like that, obviously it could be anything from a program screwing up or not booting your computer right. Did you install any new software. What about your other logs ?
I think if I was a hacker I would rather use your computer for launching other attacks so check the other logs also check the time. I would have modified the time on the server and changed it so it would fit the logs that way it would look like I was never there. Try scanning it with Virus Checkers. Take every precaution. Be Paronoid, it's the safest way to use a computer. lol, Install keyloggers that can only be set off with remote access. You know do the security checks.

God that sucks though because when you get stuff like that you don't know what the hell it is. I feel for you man.

**petemcevoy** · November 12th, 2001, 11:54 AM

Are you sure you're not looking at a gzipped log file?

***Tedob1*** · November 12th, 2001, 09:32 PM

If all the ip addresses that sent this all begin with the same group as yours does, your looking at nimda hard at work. i'm using iis here and have miles and miles of logs with all those infected computers serching for the vulnerability on mine. You'd think they woulda' patched it by now.

**stflook** · November 12th, 2001, 09:42 PM

Originally posted by petemcevoy
Are you sure you're not looking at a gzipped log file?

No, it's not in a gzip archive. I have a record of somebody who came to my site almost immediately after this garbage, but I think it was just a coincidence. I traced it with NeoTrace Pro, and he lives really close to Tripstone, so if I can determine it was him, maybe I can get Tripstone to kick his ass for me.

Tedob1: I don't use IIS. I use Apache, so I won't necessarily have the same problems as you.

freeOn: Yes, I already take every precaution possible. If you saw my setup, you would be telling me to back off.

***Tedob1*** · November 12th, 2001, 10:49 PM

i read you were using apache and nimda dos't affect apache but it does run the same checks on all servers regardless.
this is what it looks like in windows notepad:

01:30:29 63.236.25.132 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
01:30:29 63.236.25.132 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /msadc/..%5c../..%5c../..%5c/..Ã../..Ã../..Ã../winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /scripts/..Ã../winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /scripts/winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /scripts/..%5c../winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /scripts/..%5c../winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /scripts/..%5c../winnt/system32/cmd.exe 404
01:30:29 63.236.25.132 GET /scripts/..%2f../winnt/system32/cmd.exe 404

I dont know what it looks like in apache(might not be an ascii log could be unicode and not look like this) but it does try anything accepting requests on port 80 even if it is apache. And right now my internet connection is slower than snail snot on a cold day because of it.

**stflook** · November 12th, 2001, 10:56 PM

Yep, that's roughly what it looks like in Apache too. I have had an attack like that before too, only it was about 5-10 pages of that. The IP traced back to an AOL account, so I didn't bother to pursue it.

***Tedob1*** · November 13th, 2001, 05:10 AM

ok then....nevermind.
just need to put my 2 cents in.

Hope yyou catch that unbathed person who has carnal knowledge of the maternal parent.

Thread: Web Site Attack?

Thread Tools

Display

Web Site Attack?

re:stflook

Posting Permissions