LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 03-21-2011, 11:02 AM   #1
ajayan
Member
 
Registered: Dec 2007
Posts: 89

Rep: Reputation: 16
Attack on apache Webserver Invalid URI in request GET /./././.../etc/passwd HTTP/1.1


Hi all,

Recently i found suspicious entries on Apache error logs.

Tue Mar 15 19:21:18 2011] [error] [client 10.242.75.219] Invalid URI in request GET /././.. HTTP/1.1
[Tue Mar 15 19:20:10 2011] [error] [client 10.242.75.219] Invalid URI in request GET /././././././../../../../../etc/passwd HTTP/1.1
[Tue Mar 15 19:20:10 2011] [error] [client 10.242.75.219] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Tue Mar 15 19:20:10 2011] [error] [client 10.242.75.219] Invalid URI in request GET /../../../../../../../../../etc/passwd HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /././././././../../../../../winnt/win.ini HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /././././././../../../../../windows/win.ini HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/winnt/win.ini HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1

The request came again and from google i understood that it was a type of Web-server attack but i can't find more details on the web.Does any body have idea?Since the request found on Apache error logs, i assume that the attack is not successful one.How can i find out that attack is successful or not.?

Any suggestions?

Advanced Thanks
Ajayan
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 03-21-2011, 12:52 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
The request came again and from google i understood that it was a type of Web-server attack but i can't find more details on the web.Does any body have idea
Looks like a Directory Traversal attack and they are trying to grab files off of your computer. See the one trying to grab /etc/passwd? They want that to try and figure out passwords on your machine.

Quote:
Since the request found on Apache error logs, i assume that the attack is not successful one.How can i find out that attack is successful or not.?
Pretty good assumption. You should look in the normal Apache log ad see if there is anything odd in there as well as it has the connection codes (200, 404, etc.).

Now that said, this sort of garbage is pretty standard if you have a machine connected to the internet. The bad guys are always looking for new victims. And by always, I mean 24/7/365.

As for suggestion, yeah here is a few:

- Are you running anything like mod_security? That tends to intercept this sort of stuff.
- Is your OS fully patched? And what distro are we talking about anyway?
- Do you have any sort of file monitoring in place? Like Aide or Samhain?
- Do you monitor the other logs on your system?
- Are you running a security protocol like SELinux?
- Have you verified that Apache is being run as an unprivileged user?
- Is Apache serving any sites that might be vulnerable to pre-canned attacks? I'm thinking of PHP based websites and things using a back-end database.
 
2 members found this post helpful.
Old 03-22-2011, 06:20 AM   #3
ajayan
Member
 
Registered: Dec 2007
Posts: 89

Original Poster
Rep: Reputation: 16
Smile

Thanks for your comments and now got clear picture..
From the logs its showing 404 status..So i think that its failed requests...

1.Are you running anything like mod_security? That tends to intercept this sort of stuff.
mod_security is not enabled
2.- Is your OS fully patched? And what distro are we talking about anyway?
Ubuntu Lucid 10.4
3.Do you have any sort of file monitoring in place? Like Aide or Samhain?
Yes..Ossec..I got alert from Ossec
4.- Are you running a security protocol like SELinux?
No
5.Have you verified that Apache is being run as an unprivileged user?
Yes..Running as www-data user
6.Is Apache serving any sites that might be vulnerable to pre-canned attacks? I'm thinking of PHP based websites and things using a back-end database.
No.Also PHP is not enabled.
 
Old 03-22-2011, 06:47 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,953

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
Just to add to the above, the IP 10.242.75.219 is a private IP (from within your LAN), so you should find the box attacking you.
Could be affected by a trojan or something

Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Invalid URI in request GET HTTP/1.1 Stephan_Craft Linux - Server 3 04-25-2010 05:44 AM
Redirecting HTTP request to another webserver barunva Linux - Newbie 2 11-02-2008 11:17 PM
apache error : invalid method in request sharad Linux - Networking 1 12-16-2005 02:55 PM
[Apache-SSL]: Invalid method in request !g!! Gahan Linux - Software 0 07-22-2003 05:39 PM
Setting up Apache HTTP Webserver darklord75 Linux - Networking 6 04-19-2003 06:13 PM


All times are GMT -5. The time now is 08:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration