Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: apache log entries

  1. #1

    apache log entries

    Hey all...

    i've got apache 2.0.47 running on a red hat machine. Im running a proxy on port 8080, and had the unpleasant experience about a year ago of leaving the proxy accessible to anyone and everyone, and sure enough i got on one of those 'free proxy lists' and had people from all over using my machine to surf the web.

    i fixed it as soon as i figured out what was going on, and thru dhcp have a different ip address than i did then, so i dont have that problem anymore...

    this machine is relative new, and sure enough i found the following entries in my apace access log (with similar corresponding entries in the error log). i know they're probably doing scans of blocks of ip addresses looking for open proxies or other vunerabilities, but my question is - what's the significance of the '\x04\x01' character codes?

    I did a cursory google search, looked at the characters in the character map program, ran nmap on the probing ip addresses, all the usual stuff. Google had a few entries on it, but no really in depth answer



    200.63.130.158 - - [12/Nov/2003:12:46:50 -0500] "CONNECT 200.61.10.250:25 HTTP/1.0" 403 306
    200.63.130.158 - - [12/Nov/2003:12:46:50 -0500] "\x04\x01" 501 311

    168.226.149.131 - - [13/Nov/2003:10:48:19 -0500] "CONNECT 200.61.10.250:25 HTTP/1.0" 403 306
    168.226.149.131 - - [13/Nov/2003:10:48:19 -0500] "\x04\x01" 501 311

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    I think this might help you:

    http://www.dshield.org/pipermail/lis...rch/007207.php
    http://lists.insecure.org/lists/secu.../Mar/0038.html

    From what I checked out, appears that someone is attempting to use your proxy for spam relay. Apparently you're not the first based on my search.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I agree with MsMittens that someone was probably trying to use your web server as a proxy server; however, I wanted to point out a couple of things:

    - - (from your log entry), this means no user-agent, ie they weren't using a web browser, per se. So they were probably trying something from a command line, probably via netcat.

    403 306 403 means the person didn't have permission to access the attempted URL, 306 means the request was 306 bytes, which is pretty small. So it wasn't successful whatever it was.

    The \x04\x01 is hex byte code (potentially binary representation of assembly instructions). Given that they tried to proxy through to port 25 on another system, I would guess they were probably trying to proxy an attack to 200.61.10.250. And if I had to guess again, they were probably trying one of the recent sendmail vulnerabilities. It does appear that something didn't go right though, seeing that the byte code showed up in a second connection...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I get a lot of this type of stuff:
    "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
    "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 293
    "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 291
    "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
    "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
    "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
    "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
    "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348

    Is that stuff normal? This is same version of apache as above run on redhat 9.

  5. #5
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by h3r3tic
    I get a lot of this type of stuff:
    "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
    "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 293
    "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 291
    "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
    "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
    "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
    "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
    "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348

    Is that stuff normal? This is same version of apache as above run on redhat 9.
    Isnt that Nimda or Code Red trying to infect your box?
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  6. #6
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I don't know, I am asking you all. If it is is there anything I should look for on my computer as far as files go. Or does that only affect windows machines? I would assume it only affects windows from the requests it was making. But in any case, am I safe or is there anything I can do to stop stuff like that. I have the ip should I block it? If so how?

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Code Red and Nimda are Windows worms only at this point. While they won't infect a *nix box, they will annoy you. I'd suggest sending a complain to the offending IP's ISP as one avenue as they are wasting your bandwidth. It's likely the ISP won't send out anything to the user but then again, they might (I've actually been successful with this route to a degree).

    You could block the IP via a firewall (dropping packets) or using host.deny (as a simple form).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    So the code red or nimda is what is happening right? I never really got confirmation. This has been going on ever since I have put up my webserver. It is most likely someone from this site, as it is the only place I post a link. So these worms, is it like a tool to break in to a website or what. I guess I need to read up on them. Right now I only have my router firewall running and it is set to forward all requests on port 80 to my webserver machine. Isn't there something in the httpd.conf to deny access to certain ip's. Or is that not the same effect as having a firewall drop the requests. I have a lot of securing to do I guess.

  9. #9
    Senior Member
    Join Date
    Aug 2002
    Posts
    547
    it could be the nimda worm, also code red or some scriptkiddie scanning for his next "victim" (if they managed to know what to do after finding a vulnerable host LOL)

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+..."
    lol, just an iis vuln scanning.checking for the unicode hole...you're running an apache so don't care, dude.
    Industry Kills Music.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •