-
apache log entries
Hey all...
i've got apache 2.0.47 running on a red hat machine. Im running a proxy on port 8080, and had the unpleasant experience about a year ago of leaving the proxy accessible to anyone and everyone, and sure enough i got on one of those 'free proxy lists' and had people from all over using my machine to surf the web.
i fixed it as soon as i figured out what was going on, and thru dhcp have a different ip address than i did then, so i dont have that problem anymore...
this machine is relative new, and sure enough i found the following entries in my apace access log (with similar corresponding entries in the error log). i know they're probably doing scans of blocks of ip addresses looking for open proxies or other vunerabilities, but my question is - what's the significance of the '\x04\x01' character codes?
I did a cursory google search, looked at the characters in the character map program, ran nmap on the probing ip addresses, all the usual stuff. Google had a few entries on it, but no really in depth answer
200.63.130.158 - - [12/Nov/2003:12:46:50 -0500] "CONNECT 200.61.10.250:25 HTTP/1.0" 403 306
200.63.130.158 - - [12/Nov/2003:12:46:50 -0500] "\x04\x01" 501 311
168.226.149.131 - - [13/Nov/2003:10:48:19 -0500] "CONNECT 200.61.10.250:25 HTTP/1.0" 403 306
168.226.149.131 - - [13/Nov/2003:10:48:19 -0500] "\x04\x01" 501 311
-
I think this might help you:
http://www.dshield.org/pipermail/lis...rch/007207.php
http://lists.insecure.org/lists/secu.../Mar/0038.html
From what I checked out, appears that someone is attempting to use your proxy for spam relay. Apparently you're not the first based on my search.
-
I agree with MsMittens that someone was probably trying to use your web server as a proxy server; however, I wanted to point out a couple of things:
- - (from your log entry), this means no user-agent, ie they weren't using a web browser, per se. So they were probably trying something from a command line, probably via netcat.
403 306 403 means the person didn't have permission to access the attempted URL, 306 means the request was 306 bytes, which is pretty small. So it wasn't successful whatever it was.
The \x04\x01 is hex byte code (potentially binary representation of assembly instructions). Given that they tried to proxy through to port 25 on another system, I would guess they were probably trying to proxy an attack to 200.61.10.250. And if I had to guess again, they were probably trying one of the recent sendmail vulnerabilities. It does appear that something didn't go right though, seeing that the byte code showed up in a second connection...
/nebulus
-
I get a lot of this type of stuff:
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 293
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 291
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
Is that stuff normal? This is same version of apache as above run on redhat 9.
-
Quote:
Originally posted here by h3r3tic
I get a lot of this type of stuff:
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 293
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 291
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
Is that stuff normal? This is same version of apache as above run on redhat 9.
Isnt that Nimda or Code Red trying to infect your box?
-
I don't know, I am asking you all. If it is is there anything I should look for on my computer as far as files go. Or does that only affect windows machines? I would assume it only affects windows from the requests it was making. But in any case, am I safe or is there anything I can do to stop stuff like that. I have the ip should I block it? If so how?
-
Code Red and Nimda are Windows worms only at this point. While they won't infect a *nix box, they will annoy you. I'd suggest sending a complain to the offending IP's ISP as one avenue as they are wasting your bandwidth. It's likely the ISP won't send out anything to the user but then again, they might (I've actually been successful with this route to a degree).
You could block the IP via a firewall (dropping packets) or using host.deny (as a simple form).
-
So the code red or nimda is what is happening right? I never really got confirmation. This has been going on ever since I have put up my webserver. It is most likely someone from this site, as it is the only place I post a link. So these worms, is it like a tool to break in to a website or what. I guess I need to read up on them. Right now I only have my router firewall running and it is set to forward all requests on port 80 to my webserver machine. Isn't there something in the httpd.conf to deny access to certain ip's. Or is that not the same effect as having a firewall drop the requests. I have a lot of securing to do I guess.
-
it could be the nimda worm, also code red or some scriptkiddie scanning for his next "victim" (if they managed to know what to do after finding a vulnerable host LOL)
-
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+..."
lol, just an iis vuln scanning.checking for the unicode hole...you're running an apache so don't care, dude.
-
Quote:
Originally posted here by h3r3tic
It is most likely someone from this site, as it is the only place I post a link. So these worms, is it like a tool to break in to a website or what. I guess I need to read up on them.
Not necessarily. Code Red generates propogation lists randomly. (one variation is more successful at this than the other). You might want to check out CERT's Code Red Advisory and CERT's Code Red II Advisory for more details. I've also included CERT's Nimda advisory (although if it is a worm, I'd hedge my bets more towards Code Red than nimda).
stanger is probably correct in that it is likely an IIS scanner or some other vuln scanner (nessus perhaps?). Generally, the worms have larger footprint for single packets.
While you may not be running Apache, there is reason to be concerned. Someone now knows you run something with a port that accepts http requests. Securing the box would be a good next step (although might be better as a good first step.. :D)
-
Quote:
Originally posted here by MsMittens
(... )
While you may not be running Apache, there is reason to be concerned. Someone now knows you run something with a port that accepts http requests. Securing the box would be a good next step (although might be better as a good first step.. :D)
...may be it's a web server and he wants ppl to connect to?? ;)
-
Out of those links the nimda definetly looks the closest to what I am getting. There are tutorials in this forum for configuring your firewall right? I'm going to go check, I tried having it on but I didn't know how to configure it to accept requests for the services I am running. I'm not too worried though, since I'm not using iis. Thanks for all the replies.
-
Quote:
Originally posted here by stanger
...may be it's a web server and he wants ppl to connect to?? ;)
Yes but that doesn't mean he shouldn't secure it.
-
...hmmm...but how to get rid of those requests? impossible?
-
To get rid of those requests is done in one of two ways (IMHO):
a) if it's a worm, contact the ISP it's coming from. Get them to deal with the user that is infected and utilizing excess bandwidth
b) ensure that a firewall is up in front of the webserver and any time such a request is made, drop the packet request (that is, don't forward it to the web server). It slows connections down fractionally but it can go a long way to protecting your web server. These kinds of request are not legitimate ones. If need be have an IDS setup to communicate with the firewall and upon detection shut down connections.
This ensures legit traffic through while mitigating suspect traffic.
-
I guess I'm an idiot, but how do I get my firewall to drop packets from a certain IP. Here is what I put in the /etc/syslog/iptables file:
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 24.243.64.239 --dport 80 --syn -j DROP
I restarted the iptables service and it didn't work. Here is the whole thing if it helps:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 24.243.64.239 --dport 80 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.0.0.1 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT
Hope it is not bad to post that, but I want to configure it correctly and you guys are the experts. Thanks for any help.
