topic Re: Apache Server logs: Attack or Accident? in Operating System - HP-UX

Apache Server logs: Attack or Accident?

Bill McNAMARA_1 — Wed, 15 May 2002 12:34:06 GMT

Incoming IP modified...

1.2.3.4 - - [15/May/2002:12:39:31 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 291
1.2.3.4 - - [15/May/2002:12:39:32 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 289
1.2.3.4 - - [15/May/2002:12:39:32 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330
1.2.3.4 - - [15/May/2002:12:39:34 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330
1.2.3.4 - - [15/May/2002:12:39:34 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 346

But I've got lots of these from inter company addresses..
should I report it?

Bill

Re: Apache Server logs: Attack or Accident?

Sridhar Bhaskarla — Wed, 15 May 2002 12:38:56 GMT

Bill,

Unless you are sure that your CGIs use these commands, I would call them as attacks.

I follow a thumb rule. Anything that cannot recognized by me on my server is a threat until it is done so.

2 cents,
-Sri

Re: Apache Server logs: Attack or Accident?

Jeff Schussele — Wed, 15 May 2002 12:39:06 GMT

Hi Bill,

Certainly look like probes to find a way to a shell or command prompt to me.....suspicious at the least.
I would report it.

Rgds,
Jeff

Re: Apache Server logs: Attack or Accident?

Bill McNAMARA_1 — Wed, 15 May 2002 12:46:45 GMT

Thanks Guys,

I'll report it just to be on the safe side..

What's odd, is that I'm getting them say once/ twice a week from different parts of the world...

I was thinking perhaps it's some virus.

PS the apache server is on NT, but I posted here for quicker response.
It's apache afterall.
(PS - I've no cgi)

Later,
Bill

Re: Apache Server logs: Attack or Accident?

John Bolene — Wed, 15 May 2002 12:47:51 GMT

Yup, looks like Code Red virus stuff to me.

Do you have anti-virus protection on those clients that are requesting that info?

Re: Apache Server logs: Attack or Accident?

Paula J Frazer-Campbell — Wed, 15 May 2002 12:49:07 GMT

Bill

Is the ip address the same?

Where is this logged? just Apache logs?

It looks very dubious.

Can you traceroute to the machine.

Can you turn up the ammount of logging?

From the time stamp - someone bored at lunchtime???

HTH

Paula

Re: Apache Server logs: Attack or Accident?

Craig Rants — Wed, 15 May 2002 12:54:06 GMT

I agree with John, Code Red, nothing to really worry about since the .exe file is not there. You may want to deny this site access be means of a firewall or packet filtering however.

GL,
C

Re: Apache Server logs: Attack or Accident?

Christopher Caldwell — Wed, 15 May 2002 12:58:57 GMT

It's folks scanning for/attempting to exploit IIS/Windoze vulnerabilities - there's no effect (no worries) if you aren't running IIS or Windoze.

Re: Apache Server logs: Attack or Accident?

Helen French — Wed, 15 May 2002 13:00:44 GMT

Hi Bill:

So sad you are being attacked by all these =))

Seems like a virus issue for me too. I would do a small investigation before reporting this !

HTH,
Shiju

Re: Apache Server logs: Attack or Accident?

Paula J Frazer-Campbell — Wed, 15 May 2002 13:32:08 GMT

Hi Bill

CODE RED

Info here:-

http://www.pgp.com/research/covert/security-alerts/codered.asp

Paula

Re: Apache Server logs: Attack or Accident?

Paula J Frazer-Campbell — Wed, 15 May 2002 13:37:44 GMT

Bill

Update info for your OS:_

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

Paula

Re: Apache Server logs: Attack or Accident?

benoit Bruckert — Thu, 16 May 2002 07:26:26 GMT

It's a nimda attack, a virus install on a IIS server .
As you are running apache, it's safe for you. But your logs will be full of garbages...

Re: Apache Server logs: Attack or Accident?

Bill McNAMARA_1 — Thu, 16 May 2002 08:19:03 GMT

Yup, it was confirmed as being a Nimda virus symptom..

Later,
Bill

Re: Apache Server logs: Attack or Accident?

Steven Sim Kok Leong — Sat, 18 May 2002 00:21:57 GMT

Hi Bill,

Yes, it is a nimda intrusion attempt alright, originating from another nimda-compromised system.

Being in the security response team, my group have to deal with tons of such logs to pinpoint the nimda-compromised systems.

To aid incident response, what I did was to write CGI scripts called root.exe and cmd.exe. Within the script, the originating source IP is identified. If it is a company IP address, the script performs a check of the MAC address and the registered owner of the MAC address. If it is an external IP address, the script performs a check with the ARIN database lookup for the domain owner. Subsequently, the script sends an automated email indicating a suspected nimda-compromised system to the owner or domain owner.

That saves us the huge administration overhead in incident response considering the number of nimda occurrences.

For protection, if you are a firewall administrator, you can protect your servers by performing layer-7 application-layer filtering on HTTP packets by blocking all accesses to any URLs containing cmd.exe and root.exe. That blocks nimda on the HTTP level. Note that nimda worm traverses through writeable shared folders over netbios as well. For Codered, filter out all HTTP packets containing default.ida or default.idq in its payload. Other signatures to filter include readme.exe, readme.eml and admin.dll etc. You can add to the list as your know of new signatures.

Checkpoint FW-1 does this easily using the HTTP security server which comes built-in. Some other firewalls support the filtering using third-party applications such as websense.

Hope this helps. Regards.

Steven Sim Kok Leong