HPE Community
Operating System - HP-UX
1751768 Members
4645 Online
108781 Solutions
New Discussion юеВ

Apache Server logs: Attack or Accident?

 
SOLVED
Go to solution
Bill McNAMARA_1
Honored Contributor

тАО05-15-2002 05:34 AM

тАО05-15-2002 05:34 AM

Apache Server logs: Attack or Accident?

Incoming IP modified...

1.2.3.4 - - [15/May/2002:12:39:31 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 291
1.2.3.4 - - [15/May/2002:12:39:32 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 289
1.2.3.4 - - [15/May/2002:12:39:32 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330
1.2.3.4 - - [15/May/2002:12:39:34 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330
1.2.3.4 - - [15/May/2002:12:39:34 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 346

But I've got lots of these from inter company addresses..
should I report it?

Bill
It works for me (tm)
0 Kudos
Reply
13 REPLIES 13
Sridhar Bhaskarla
Honored Contributor

тАО05-15-2002 05:38 AM

тАО05-15-2002 05:38 AM

Solution

Re: Apache Server logs: Attack or Accident?

Bill,

Unless you are sure that your CGIs use these commands, I would call them as attacks.

I follow a thumb rule. Anything that cannot recognized by me on my server is a threat until it is done so.

2 cents,
-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Jeff Schussele
Honored Contributor

тАО05-15-2002 05:39 AM

тАО05-15-2002 05:39 AM

Re: Apache Server logs: Attack or Accident?

Hi Bill,

Certainly look like probes to find a way to a shell or command prompt to me.....suspicious at the least.
I would report it.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Bill McNAMARA_1
Honored Contributor

тАО05-15-2002 05:46 AM

тАО05-15-2002 05:46 AM

Re: Apache Server logs: Attack or Accident?

Thanks Guys,

I'll report it just to be on the safe side..

What's odd, is that I'm getting them say once/ twice a week from different parts of the world...

I was thinking perhaps it's some virus.

PS the apache server is on NT, but I posted here for quicker response.
It's apache afterall.
(PS - I've no cgi)

Later,
Bill
It works for me (tm)
0 Kudos
Reply
John Bolene
Honored Contributor

тАО05-15-2002 05:47 AM

тАО05-15-2002 05:47 AM

Re: Apache Server logs: Attack or Accident?

Yup, looks like Code Red virus stuff to me.

Do you have anti-virus protection on those clients that are requesting that info?
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
Reply
Paula J Frazer-Campbell
Honored Contributor

тАО05-15-2002 05:49 AM

тАО05-15-2002 05:49 AM

Re: Apache Server logs: Attack or Accident?

Bill

Is the ip address the same?

Where is this logged? just Apache logs?

It looks very dubious.

Can you traceroute to the machine.

Can you turn up the ammount of logging?

From the time stamp - someone bored at lunchtime???



HTH

Paula

If you can spell SysAdmin then you is one - anon
Reply
Craig Rants
Honored Contributor

тАО05-15-2002 05:54 AM

тАО05-15-2002 05:54 AM

Re: Apache Server logs: Attack or Accident?

I agree with John, Code Red, nothing to really worry about since the .exe file is not there. You may want to deny this site access be means of a firewall or packet filtering however.

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Christopher Caldwell
Honored Contributor

тАО05-15-2002 05:58 AM

тАО05-15-2002 05:58 AM

Re: Apache Server logs: Attack or Accident?

It's folks scanning for/attempting to exploit IIS/Windoze vulnerabilities - there's no effect (no worries) if you aren't running IIS or Windoze.
Reply
Helen French
Honored Contributor

тАО05-15-2002 06:00 AM

тАО05-15-2002 06:00 AM

Re: Apache Server logs: Attack or Accident?

Hi Bill:

So sad you are being attacked by all these =))

Seems like a virus issue for me too. I would do a small investigation before reporting this !

HTH,
Shiju
Life is a promise, fulfill it!
Reply
Paula J Frazer-Campbell
Honored Contributor

тАО05-15-2002 06:32 AM

тАО05-15-2002 06:32 AM

Re: Apache Server logs: Attack or Accident?

Hi Bill


CODE RED

Info here:-

http://www.pgp.com/research/covert/security-alerts/codered.asp


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.