Re: "suspicious" apache log entries

To: "Michael Renzmann" <mrenzmann@dylanic.de>, <debian-security@lists.debian.org>
Subject: Re: "suspicious" apache log entries
From: "Andreas Syksa" <asyska@db-media.de>
Date: Tue, 10 Sep 2002 11:36:48 +0200
Message-id: <[🔎] 002e01c258ad$95fa4ab0$1901000a@as>
References: <[🔎] 3D7D92AB.8080905@dylanic.de>

Hello Debians,

----- Original Message -----
From: "Michael Renzmann" <mrenzmann@dylanic.de>
To: <debian-security@lists.debian.org>
Sent: Tuesday, September 10, 2002 8:35 AM
Subject: "suspicious" apache log entries

> [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed:
> erroneous characters after protocol string: CONNECT
> mailb.microsoft.com:25 / HTTP/1.0

I've seen tons of ../script/ and ../cmd.exe's  as I've got several machines
with fixed ips.
##########################################################
klopm:/# cat logs/access_log | grep cmd.exe| wc -l
15384
##########################################################
starting at 07/Feb/2002 at only one IP. And this machine has got 33IPs.

But this request you mentioned was new to me too - seems like I've missed
something at bugtraq/vulnwatch etc..;-)

here it appears the first time:
##########################################################
67.81.183.168 - - [30/May/2002:16:24:20 +0000] "CONNECT
mx1.mail.yahoo.com:25 / HTTP/1.0" 405 231 "-" "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)"
##########################################################

on only one ip - in end of May. The next request comes in 2 weeks later:
##########################################################
216.53.218.199 - - [15/Jul/2002:01:23:06 +0200] "CONNECT mxs.mail.ru:25
HTTP/1.0" 404 194 "-" "-"

##########################################################
without useragent! some aSSk!cKiNG VB-script  I guess.
now it seems to start. yesterday I got 39 request the first time.
seems to be new...

As they want to connect to some mail server, I guess this are spammers
looking
for new ways to spread their impotent news. Thats why there are not so much
requests
because kids cant find any "my files" - I guess.

Has anyone seen some Anti-Nimda/Code Red  beside
http://www.eye-net.com.au/csmall/myscripts/nimda.html  ?
I'd like to send out some abuse-mails to RIPE or the ISP in addition to the
webmaster,
as I belive most of the attacks are done by kids instead of infected
servers.
This one is a bit more complicated as one needs the whois for the IP and I
dont have the time to work on this
for myself....

Over 15000 request on one IP *33 at about 240 byte make round about 100MB
traffic and
over 60MB logfile for nothing

thanks and best regards,
Andreas

Reply to:

Follow-Ups:
- Re: "suspicious" apache log entries
  - From: Michael Renzmann <mrenzmann@dylanic.de>
- Re: "suspicious" apache log entries
  - From: Carlos Ollero Serrano <carlos@ainulindale.homeunix.org>

References:
- "suspicious" apache log entries
  - From: Michael Renzmann <mrenzmann@dylanic.de>

Prev by Date: Re: [OT] AW: Printing ?
Next by Date: Re: "suspicious" apache log entries
Previous by thread: Re: "suspicious" apache log entries
Next by thread: Re: "suspicious" apache log entries
Index(es):
- Date
- Thread