-
November 13th, 2003, 11:42 PM
#1
Member
apache log entries
Hey all...
i've got apache 2.0.47 running on a red hat machine. Im running a proxy on port 8080, and had the unpleasant experience about a year ago of leaving the proxy accessible to anyone and everyone, and sure enough i got on one of those 'free proxy lists' and had people from all over using my machine to surf the web.
i fixed it as soon as i figured out what was going on, and thru dhcp have a different ip address than i did then, so i dont have that problem anymore...
this machine is relative new, and sure enough i found the following entries in my apace access log (with similar corresponding entries in the error log). i know they're probably doing scans of blocks of ip addresses looking for open proxies or other vunerabilities, but my question is - what's the significance of the '\x04\x01' character codes?
I did a cursory google search, looked at the characters in the character map program, ran nmap on the probing ip addresses, all the usual stuff. Google had a few entries on it, but no really in depth answer
200.63.130.158 - - [12/Nov/2003:12:46:50 -0500] "CONNECT 200.61.10.250:25 HTTP/1.0" 403 306
200.63.130.158 - - [12/Nov/2003:12:46:50 -0500] "\x04\x01" 501 311
168.226.149.131 - - [13/Nov/2003:10:48:19 -0500] "CONNECT 200.61.10.250:25 HTTP/1.0" 403 306
168.226.149.131 - - [13/Nov/2003:10:48:19 -0500] "\x04\x01" 501 311
-
November 13th, 2003, 11:50 PM
#2
I think this might help you:
http://www.dshield.org/pipermail/lis...rch/007207.php
http://lists.insecure.org/lists/secu.../Mar/0038.html
From what I checked out, appears that someone is attempting to use your proxy for spam relay. Apparently you're not the first based on my search.
-
November 14th, 2003, 12:12 AM
#3
I agree with MsMittens that someone was probably trying to use your web server as a proxy server; however, I wanted to point out a couple of things:
- - (from your log entry), this means no user-agent, ie they weren't using a web browser, per se. So they were probably trying something from a command line, probably via netcat.
403 306 403 means the person didn't have permission to access the attempted URL, 306 means the request was 306 bytes, which is pretty small. So it wasn't successful whatever it was.
The \x04\x01 is hex byte code (potentially binary representation of assembly instructions). Given that they tried to proxy through to port 25 on another system, I would guess they were probably trying to proxy an attack to 200.61.10.250. And if I had to guess again, they were probably trying one of the recent sendmail vulnerabilities. It does appear that something didn't go right though, seeing that the byte code showed up in a second connection...
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
November 14th, 2003, 12:28 AM
#4
I get a lot of this type of stuff:
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 293
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 291
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
Is that stuff normal? This is same version of apache as above run on redhat 9.
-
November 14th, 2003, 12:41 AM
#5
Originally posted here by h3r3tic
I get a lot of this type of stuff:
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 293
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 291
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
Is that stuff normal? This is same version of apache as above run on redhat 9.
Isnt that Nimda or Code Red trying to infect your box?
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
-
November 14th, 2003, 01:02 AM
#6
I don't know, I am asking you all. If it is is there anything I should look for on my computer as far as files go. Or does that only affect windows machines? I would assume it only affects windows from the requests it was making. But in any case, am I safe or is there anything I can do to stop stuff like that. I have the ip should I block it? If so how?
-
November 14th, 2003, 02:28 AM
#7
Code Red and Nimda are Windows worms only at this point. While they won't infect a *nix box, they will annoy you. I'd suggest sending a complain to the offending IP's ISP as one avenue as they are wasting your bandwidth. It's likely the ISP won't send out anything to the user but then again, they might (I've actually been successful with this route to a degree).
You could block the IP via a firewall (dropping packets) or using host.deny (as a simple form).
-
November 14th, 2003, 02:39 AM
#8
So the code red or nimda is what is happening right? I never really got confirmation. This has been going on ever since I have put up my webserver. It is most likely someone from this site, as it is the only place I post a link. So these worms, is it like a tool to break in to a website or what. I guess I need to read up on them. Right now I only have my router firewall running and it is set to forward all requests on port 80 to my webserver machine. Isn't there something in the httpd.conf to deny access to certain ip's. Or is that not the same effect as having a firewall drop the requests. I have a lot of securing to do I guess.
-
November 14th, 2003, 02:41 AM
#9
it could be the nimda worm, also code red or some scriptkiddie scanning for his next "victim" (if they managed to know what to do after finding a vulnerable host LOL)
-
November 14th, 2003, 02:51 AM
#10
Senior Member
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+..."
lol, just an iis vuln scanning.checking for the unicode hole...you're running an apache so don't care, dude.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|