HPE Community
Operating System - HP-UX
1834594 Members
4020 Online
110069 Solutions
New Discussion

Apache Server logs: Attack or Accident?

 
SOLVED
Go to solution
Bill McNAMARA_1
Honored Contributor

‎05-15-2002 05:34 AM

‎05-15-2002 05:34 AM

Apache Server logs: Attack or Accident?

Incoming IP modified...

1.2.3.4 - - [15/May/2002:12:39:31 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 291
1.2.3.4 - - [15/May/2002:12:39:32 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 289
1.2.3.4 - - [15/May/2002:12:39:32 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
1.2.3.4 - - [15/May/2002:12:39:33 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330
1.2.3.4 - - [15/May/2002:12:39:34 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330
1.2.3.4 - - [15/May/2002:12:39:34 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 346

But I've got lots of these from inter company addresses..
should I report it?

Bill
It works for me (tm)
0 Kudos
Reply
13 REPLIES 13
Sridhar Bhaskarla
Honored Contributor

‎05-15-2002 05:38 AM

‎05-15-2002 05:38 AM

Solution

Re: Apache Server logs: Attack or Accident?

Bill,

Unless you are sure that your CGIs use these commands, I would call them as attacks.

I follow a thumb rule. Anything that cannot recognized by me on my server is a threat until it is done so.

2 cents,
-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Jeff Schussele
Honored Contributor

‎05-15-2002 05:39 AM

‎05-15-2002 05:39 AM

Re: Apache Server logs: Attack or Accident?

Hi Bill,

Certainly look like probes to find a way to a shell or command prompt to me.....suspicious at the least.
I would report it.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Bill McNAMARA_1
Honored Contributor

‎05-15-2002 05:46 AM

‎05-15-2002 05:46 AM

Re: Apache Server logs: Attack or Accident?

Thanks Guys,

I'll report it just to be on the safe side..

What's odd, is that I'm getting them say once/ twice a week from different parts of the world...

I was thinking perhaps it's some virus.

PS the apache server is on NT, but I posted here for quicker response.
It's apache afterall.
(PS - I've no cgi)

Later,
Bill
It works for me (tm)
0 Kudos
Reply
John Bolene
Honored Contributor

‎05-15-2002 05:47 AM

‎05-15-2002 05:47 AM

Re: Apache Server logs: Attack or Accident?

Yup, looks like Code Red virus stuff to me.

Do you have anti-virus protection on those clients that are requesting that info?
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
Reply
Paula J Frazer-Campbell
Honored Contributor

‎05-15-2002 05:49 AM

‎05-15-2002 05:49 AM

Re: Apache Server logs: Attack or Accident?

Bill

Is the ip address the same?

Where is this logged? just Apache logs?

It looks very dubious.

Can you traceroute to the machine.

Can you turn up the ammount of logging?

From the time stamp - someone bored at lunchtime???



HTH

Paula

If you can spell SysAdmin then you is one - anon
Reply
Craig Rants
Honored Contributor

‎05-15-2002 05:54 AM

‎05-15-2002 05:54 AM

Re: Apache Server logs: Attack or Accident?

I agree with John, Code Red, nothing to really worry about since the .exe file is not there. You may want to deny this site access be means of a firewall or packet filtering however.

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Christopher Caldwell
Honored Contributor

‎05-15-2002 05:58 AM

‎05-15-2002 05:58 AM

Re: Apache Server logs: Attack or Accident?

It's folks scanning for/attempting to exploit IIS/Windoze vulnerabilities - there's no effect (no worries) if you aren't running IIS or Windoze.
Reply
Helen French
Honored Contributor

‎05-15-2002 06:00 AM

‎05-15-2002 06:00 AM

Re: Apache Server logs: Attack or Accident?

Hi Bill:

So sad you are being attacked by all these =))

Seems like a virus issue for me too. I would do a small investigation before reporting this !

HTH,
Shiju
Life is a promise, fulfill it!
Reply
Paula J Frazer-Campbell
Honored Contributor

‎05-15-2002 06:32 AM

‎05-15-2002 06:32 AM

Re: Apache Server logs: Attack or Accident?

Hi Bill


CODE RED

Info here:-

http://www.pgp.com/research/covert/security-alerts/codered.asp


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎05-15-2002 06:37 AM

‎05-15-2002 06:37 AM

Re: Apache Server logs: Attack or Accident?

Bill

Update info for your OS:_


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp



Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
benoit Bruckert
Honored Contributor

‎05-16-2002 12:26 AM

‎05-16-2002 12:26 AM

Re: Apache Server logs: Attack or Accident?

It's a nimda attack, a virus install on a IIS server .
As you are running apache, it's safe for you. But your logs will be full of garbages...
Une application mal pansée aboutit à une usine à gaze (GHG)
Reply
Bill McNAMARA_1
Honored Contributor

‎05-16-2002 01:19 AM

‎05-16-2002 01:19 AM

Re: Apache Server logs: Attack or Accident?

Yup, it was confirmed as being a Nimda virus symptom..

Later,
Bill
It works for me (tm)
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎05-17-2002 05:21 PM

‎05-17-2002 05:21 PM

Re: Apache Server logs: Attack or Accident?

Hi Bill,

Yes, it is a nimda intrusion attempt alright, originating from another nimda-compromised system.

Being in the security response team, my group have to deal with tons of such logs to pinpoint the nimda-compromised systems.

To aid incident response, what I did was to write CGI scripts called root.exe and cmd.exe. Within the script, the originating source IP is identified. If it is a company IP address, the script performs a check of the MAC address and the registered owner of the MAC address. If it is an external IP address, the script performs a check with the ARIN database lookup for the domain owner. Subsequently, the script sends an automated email indicating a suspected nimda-compromised system to the owner or domain owner.

That saves us the huge administration overhead in incident response considering the number of nimda occurrences.

For protection, if you are a firewall administrator, you can protect your servers by performing layer-7 application-layer filtering on HTTP packets by blocking all accesses to any URLs containing cmd.exe and root.exe. That blocks nimda on the HTTP level. Note that nimda worm traverses through writeable shared folders over netbios as well. For Codered, filter out all HTTP packets containing default.ida or default.idq in its payload. Other signatures to filter include readme.exe, readme.eml and admin.dll etc. You can add to the list as your know of new signatures.

Checkpoint FW-1 does this easily using the HTTP security server which comes built-in. Some other firewalls support the filtering using third-party applications such as websense.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.