AW: Bizarre apache logs

To: "DL" <dl@crackapple.org>
Cc: <debian-security@lists.debian.org>
Subject: AW: Bizarre apache logs
From: "Marcel Weber" <mmweber@ncpro.com>
Date: Sun, 6 Oct 2002 01:49:52 +0200
Message-id: <[🔎] ABEKLOAPHGEAANDBAIFFAELGCHAA.mmweber@ncpro.com>
In-reply-to: <[🔎] Pine.LNX.4.44.0210051642030.4124-100000@grace.speakeasy.net>
Hi

Well it's not exactly nimda but an older one AFAIK. Nimda are these
balba.ida%ddddddddddddddddddd and so on. But that's not what I'm worried
about, as these attacks are that common. I'm rather suprised to see, that
the attacker got one 404 response from the webserver. He should have got a
403 response instead. Has he passed the "deny from all" then?

(exerpt from the httpd.conf)

<Location />
        Order allow,deny
        deny from all
</Location>

Like this he should never get an 404 response, should he?

Regards

Marcel

--------------------

PGP / GPG Key:    http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc

> -----Ursprüngliche Nachricht-----
> Von: DL [mailto:dl@crackapple.org]
> Gesendet: Sonntag, 6. Oktober 2002 01:45
> An: Marcel Weber
> Cc: debian-security@lists.debian.org
> Betreff: Re: Bizarre apache logs
>
>
>
> Looks like part of the Nimda virus that's rampant. It's looking
> for exploitable
> holes in IIS. Since you're running apache, I don't believe you
> have much to
> worry about.
>
> There are some apache modules out there that you can install,
> that will take the
> IP address from your log when it sees things like this, do an
> ARIN lookup on it,
> and send an email to abuse and hostmaster of the company that
> owns that block.
>
>
> On Sun, 6 Oct 2002, Marcel Weber wrote:
>
> > Hi
> >
> > I had some bizarre 404 entries in my apache logs. They are very
> rare, but it
> > looks as they resulted from an attempted attack. Well say it
> was a rather
> > lame attack, but I wonder where the 404 and 400 came from. As
> the server is
> > configured, there should be only 403 answers, as the whole http part is
> > closed. Except for one directory and from the intranet. From
> the outside one
> > can access the server via https only.
> >
> > I don't know if I have to be alerted or something, but I would
> feel better
> > if someone could check my set up. Just for making sure, that it is not a
> > misconfiguration. The server is an older Compaq Proliant 800,
> some Pentium
> > 133 MHz. Rather slow, perhaps this has an influence.
> >
> > Below are the error.log and access.log in question an at the end the
> > relevant section of the httpd.conf.
> >
> > Regards
> >
> > Marcel
> >
> >
> >
> ##################################################################
> ##########
> > ###
> > access.log: I put some newlines between the 404 an the rest of it.
> >
> > 80.240.96.146 - - [29/Sep/2002:12:50:03 +0200] "GET
> /scripts/root.exe?/c+dir
> > HTT
> > P/1.0" 403 286 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
> /MSADC/root.exe?/c+dir
> > HTTP/
> > 1.0" 403 284 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
> > /c/winnt/system32/cmd.exe?/c
> > +dir HTTP/1.0" 403 294 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
> > /d/winnt/system32/cmd.exe?/c
> > +dir HTTP/1.0" 403 294 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
> > /scripts/..%255c../winnt/sys
> > tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
> > /_vti_bin/..%255c../..%255c.
> > ./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
> > /_mem_bin/..%255c../..%255c.
> > ./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
> > /msadc/..%255c../..%255c../.
> > .%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0"
> > 403 341 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
> > /scripts/..%c1%1c../winnt/sy
> > stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
> >
> >
> > 80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
> > /scripts/..%c0%2f../winnt/sy
> > stem32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
> >
> >
> > 80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
> > /scripts/..%c0%af../winnt/sy
> > stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
> > /scripts/..%c1%9c../winnt/sy
> > stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
> > /scripts/..%%35%63../winnt/s
> > ystem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
> > /scripts/..%%35c../winnt/sys
> > tem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
> > /scripts/..%25%35%63../winnt
> > /system32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
> > 80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
> > /scripts/..%252f../winnt/sys
> > tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
> >
> >
> ##################################################################
> #########
> > In the error.log there are following entries:
> >
> > [Sun Sep 29 12:50:03 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/scripts
> > [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/MSADC
> > [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/c
> > [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/d
> > [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/scripts
> > [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/_vti_bin
> > [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/_mem_bin
> > [Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/msadc
> > [Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/scripts
> > [Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/scripts
> > [Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/scripts
> > [Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/scripts
> > [Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146]
> client denied by
> > serve
> > r configuration: /var/www/scripts
> >
> > ####################################################################3
> >
> > Here comes my httpd.conf
> >
> > <Location />
> >        Order allow,deny
> >        deny from all
> > </Location>
> >
> >
> > <VirtualHost _default_:80>
> >         ServerName      xxx.foo.com
> >         ServerAlias     xxx.faa.com
> >
> >
> > <Location />
> >       Order allow,deny
> >       allow from 192.x.x.0/24  # allow access only from the intranet
> >
> >       AuthType Basic
> >       AuthName "foo"
> >       AuthLDAPBindDN "xxxxxxxxxxxxxxxxxxxxxxxx"
> >       AuthLDAPBindPassword "xxxxxxxxxxxxxxxxxxx"
> >       AuthLDAPUrl ldap://dddddddddddddddddddddddddddddddddddddd
> >       require valid-user
> >
> > </Location>
> >
> > <Location /public>
> >         Order allow,deny
> >         allow from all
> >         satisfy any
> > </Location>
> >
> >
> >         <Location /zykadmin>
> >                 Order allow,deny
> >                 allow from 192.x.x.0/24
> >         </Location>
> >
> >
> >         <Location /servlets>
> >                 Order allow,deny
> >                 Allow from 192.x.x.0/24
> >         </Location>
> >
> >         #### Servlets welche via http zugänglich sind
> >         WebAppDeploy examples warpConnection /servlets/examples/
> >         WebAppDeploy lagerchargen warpConnection /servlets/agauga/
> >
> > </VirtualHost>
> >
> > <VirtualHost _default_:443>
> >         DocumentRoot    /var/www
> >         ServerName      xxx.foo.com
> >         ServerAlias 	yyy.faa.com
> >
> >         #### Servlets welche via https zugänglich sind
> >         WebAppDeploy examples warpConnection /servlets/examples/
> >         WebAppDeploy lagerchargen warpConnection /servlets/agauga/
> >
> >
> >         <Location />
> >                Order allow,deny
> >                allow from all
> >
> >                 AuthType Basic
> >                 AuthName "iiiiiiiiiiiii"
> >                 AuthLDAPBindDN "ooooooooooooooooooo"
> >                 AuthLDAPBindPassword "xxxxxxxxxx"
> >                 AuthLDAPUrl ldap://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
> >                 require valid-user
> >
> >         </Location>
> >
> >
> >         <IfModule mod_ssl.c>
> >                   SSLEngine on
> >                   SSLCertificateFile    /etc/apache/ssl.crt/server.crt
> >                   SSLCertificateKeyFile /etc/apache/ssl.key/server.key
> > #                 SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> > ssl-unclean-shutdown
> >         </IfModule>
> > </VirtualHost>
> >
> > --------------------
> >
> > PGP / GPG Key:    http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> >
>
>
>
Reply to:
References:
- Re: Bizarre apache logs
  - From: DL <dl@crackapple.org>
Prev by Date: Re: Bizarre apache logs
Next by Date: Apache 1.3.27 Released
Previous by thread: Re: Bizarre apache logs
Next by thread: Re: Bizarre apache logs
Index(es):
- Date
- Thread