LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
LinkBack Search this Thread
Old 04-26-2002, 10:13 AM   #1
marcoc
Member
 
Registered: Mar 2002
Location: Rome, Italy
Distribution: Mandrake 10.1 Community, Suse 9.2, Fedora Core 2
Posts: 35

Rep: Reputation: 15
Question Security issue..


Hello!

I have just started using my pc as a server. I run Apache under Mandrake 8.1

I have a concern about security: opening my log file, I noticed several "attempts", as the following:

==
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 "-" "-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 "-" "-"
==

Can you tell me which is the easisest way to avoid this attempts....?

Thanks in advance!

Marco
 
Old 04-26-2002, 11:31 AM   #2
taz.devil
Senior Member
 
Registered: Nov 2001
Location: Wa. State
Distribution: Slackware
Posts: 1,261

Rep: Reputation: 45
Well, if it is what it looks like and someone is trying to use get to execute the cmd.exe command to do something on your system, then you wanna setup a firewall if you don't have one so people can't find or use any open ports.
 
Old 04-29-2002, 04:27 AM   #3
marcoc
Member
 
Registered: Mar 2002
Location: Rome, Italy
Distribution: Mandrake 10.1 Community, Suse 9.2, Fedora Core 2
Posts: 35

Original Poster
Rep: Reputation: 15
Thanks!

I have installed the 'standard' firewall included into the Mandrake distribution. My (newbie) question is : since the quoted attempt are continuing (I guess it's an automati procedure), can I feel a bit more secure with the firewall working? Shoud I do something else to protect my site?

Thanks in advance,

Marco
 
Old 04-29-2002, 02:46 PM   #4
taz.devil
Senior Member
 
Registered: Nov 2001
Location: Wa. State
Distribution: Slackware
Posts: 1,261

Rep: Reputation: 45
If it is some automated task, i'd find out what it is just to make myself feel better. As for a firewall, ANY type of firewall is better than nothing, so yeah, i'd feel better. It depends on how secure you wanna feel as to what you setup for a firewall though.
 
Old 04-29-2002, 04:03 PM   #5
DMR
Member
 
Registered: Jun 2001
Location: Fairfax, California
Distribution: RH 9.0, RH 7.3, Mandrake 8.0
Posts: 986

Rep: Reputation: 30
Marcoc,

The messages in your log are indicative of a scan by the Nimda worm, which is probing for MS IIS servers. Since you're running Apache on Linux, there's no threat to your machine.
 
Old 04-30-2002, 04:13 AM   #6
marcoc
Member
 
Registered: Mar 2002
Location: Rome, Italy
Distribution: Mandrake 10.1 Community, Suse 9.2, Fedora Core 2
Posts: 35

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by DMR
Marcoc,

The messages in your log are indicative of a scan by the Nimda worm, which is probing for MS IIS servers. Since you're running Apache on Linux, there's no threat to your machine.
Many thanks to all for your kind replies

I'd have another question: is it possible to tell the system not to write those access to "access_log" , in order to leave the file "clean"? (just happy if you can point me to some docs..)

Marco

 
Old 05-01-2002, 12:30 AM   #7
skeletal29
Member
 
Registered: Apr 2002
Location: Nyc
Distribution: Gentoo
Posts: 127

Rep: Reputation: 15
i get shit loads of those in my logs daily. Nothing to worry about the scipt kiddie thinks your running iis
 
Old 05-01-2002, 04:12 AM   #8
DMR
Member
 
Registered: Jun 2001
Location: Fairfax, California
Distribution: RH 9.0, RH 7.3, Mandrake 8.0
Posts: 986

Rep: Reputation: 30
Quote:
Originally posted by marcoc
is it possible to tell the system not to write those access to "access_log" , in order to leave the file "clean"? (just happy if you can point me to some docs..)
There might be (probably is) a way, but off the top of my head I don't know...
 
Old 05-01-2002, 06:14 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
#!/bin/sh
# this script is /usr/sbin/clearlogtext
# courtesy of comp.os.linux.security
# YMMV
if [ $# != 2 ] ; then
echo "syntax: $0 logfile text"
echo "example: /usr/sbin/clearlogtext /var/log/httpd/access_log \.exe"
else
awk !/$2/{print} $1 > t;>$1;cat t > $1; rm t
fi
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba Security issue boyd98 Linux - Networking 1 03-23-2005 04:45 PM
webmin issue, poss security issue bejiita Slackware 3 11-03-2004 06:07 AM
Security Issue or normal??? tekmorph Linux - Security 6 09-09-2004 11:35 PM
xhost / Security issue ganninu Linux - General 1 12-08-2003 12:49 PM
Other type of security issue DazeiHead Linux - Security 3 08-17-2003 07:20 PM


All times are GMT -5. The time now is 04:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration