Re: [Intrusions] Possible web server attack?

To: "Intrusions List (GCIA Practicals)" <intrusions@lists.sans.org>
Cc: debian-apache@lists.debian.org
Subject: Re: [Intrusions] Possible web server attack?
From: simon@nuit.ca
Date: Wed, 4 Aug 2004 21:35:20 +0000
Message-id: <[🔎] 20040804213520.GA9405@nuit.ca>
In-reply-to: <4F0B0AA5F55024419940758416D8314F9AB097@ATF-HQ-EXMB01.ad.msnet.atf.gov>
References: <4F0B0AA5F55024419940758416D8314F9AB097@ATF-HQ-EXMB01.ad.msnet.atf.gov>

Ce jour Wed, 04 Aug 2004, Barnett, Ryan C. (EDS) a dit:

> This is the Welchia.B worm.  I ran into this when I sponsored the
> Honeynet Project's Scan of the Month for March 2004 -
> http://www.honeynet.org/scans/scan31/sol/.  Look in section "2.4
> Attack Category- Web-Based Worms" and you will see the same log
> entries that you showed below.
> 
> Additionally, here is some info from Symantec -
> http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html
> 
> Bottom line here is that you are running Apache and this only effects
> IIS.  The only issues which still remains is that fact that these
> requests are HUGE (you can see that your Apache server issued a 414 -
> URI Request Too Large).  If you want to exclude these log entries from
> your access_log file, add this to your httpd.conf file -

hrm, some folks haven't heard of gqap ;) (vim command)

> # Rewrite Rule for Welchie
> RewriteCond %{THE_REQUEST} ^SEARCH.*90.*02.*b1 [E=dontlog]
> # Log what remains
> CustomLog logs/access_log common env=!dontlog 

nice one. will it log the request at all, or will this only prevent the
daemon from logging the request totally? seems like the latter to me. 
this would be perfect if the request code, IP, referrer, and such were
logged, but not the shellcode per se.

i can however live without having to see those damned 414 requests from some
exploited windows box.

i've been seeing this for months, and until recently webalizer puked on them. 


> Hope this helps.

certainly does. i'll submit this to the debian-apache list if you don't
mind.

thank you kindly

s/

> > Most Respectfully,
> > Ryan C. Barnett
> > SANS: GCFA, GCIH, GCUX, GSEC
> > Department of Justice - ATF
> > Information Services Division
> > Operations Security Team Lead
> 
> 
>  >
>  >Picked up this in the apache logs of a web server:-
>  >
>  >210.121.239.116 - - [03/Aug/2004:10:01:24 +0000] "SEARCH 
>  >/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
>  >x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
>  >1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
>  --CUT--
>  >x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
>  >0\x90\x90\x90\x90\x90\x90\x90\x
>  >90\x90\x90\x90\x90\x90\x90" 414 348
>  >

-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Bug#263515: apache2-common: Should offer dummy /etc/default/apache2
Next by Date: Bug#263511: apache2 package's *.prerm needs to be robust
Previous by thread: Bug#263515: marked as done (apache2-common: Should offer dummy /etc/default/apache2)
Next by thread: Real Estate Auction
Index(es):
- Date
- Thread