access_log oddities

jonfa · 04-21-2004, 03:28 PM

Hi All,

I was checking my /var/log/http/access_log file under Redhat 9 (kernel: 2.4.20-30.9smp) and I noticed the following:

202.**.***.** - - [26/mar/2004:05:54:08 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 404 425 "-" "MSFrontPage/4.0"

Is this an intruder? Someone trying to use a FrontPage extension? What? Thanks for the help.

Jon

kebabhead · 04-21-2004, 03:37 PM

Hi, looks like someone is trying to use Frontpage extensions, perhaps scanning for sites that have these enabled? I gues I would worry if you had a number of hits from the same IP block...
Cheers

jonfa · 04-21-2004, 03:42 PM

There were only four hits within about an hour and a half.

Jon

mossy · 04-23-2004, 01:35 AM

Im getting bombarded with logs from various Ip's.
Alot of them reoccuring - they look like automated attempts to crack yahoo email accounts. There are also bloody tonnes of porn urls too - are these guys redirecting from my site [using my box as a proxy] or just using my DNS server? I have a DNS and web server. you can see the uid and passwd listed in the urls.

here:

24.214.127.147 - - [02/Apr/2004:04:02:55 -0500] "GET http://edit.europe.yahoo.com/config/...n&passwd=spike HTTP/1.0" 200 2658 "-" "-"
211.138.246.39 - - [02/Apr/2004:04:02:48 -0500] "GET http://www.go2travelling.com&random=...velling.com%2F HTTP/1.1" 502 1032 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 2000)"
24.214.127.147 - - [02/Apr/2004:04:02:56 -0500] "GET http://edit.europe.yahoo.com/config/...k&passwd=spike HTTP/1.0" 200 2658 "-" "-"
62.34.123.198 - - [02/Apr/2004:04:02:48 -0500] "GET http://glamourportfolios.com/members/memidx1.htm HTTP/1.0" 401 1843 "http://glamourportfolios.com/members/memidx1.htm" "Mozilla/5.0 ( compatible; [de]; Windows NT4.0; NetCaptor )"
62.34.123.198 - - [02/Apr/2004:04:02:48 -0500] "GET http://glamourportfolios.com/members/memidx1.htm HTTP/1.0" 401 1843 "http://glamourportfolios.com/members/memidx1.htm" "Mozilla/5.0 ( compatible; [en]; Windows XP; win9x/NT 4.90 )"
67.15.4.9 - - [02/Apr/2004:04:02:57 -0500] "GET http://groups.google.com/groups?q=ef...=UTF-8&start=0 HTTP/1.0" 200 6719 "-" "cbrso3oylGykpebfavavwayqupk"
69.34.169.16 - - [02/Apr/2004:04:02:54 -0500] "HEAD http://gonzovision.com/members/html/index.html HTTP/1.0" 401 0 "http://gonzovision.com/members/html/index.html" "Mozilla/4.7 ( compatible; [de]; Windows NT5.0; DigiExt )"
24.214.127.147 - - [02/Apr/2004:04:02:57 -0500] "GET http://edit.europe.yahoo.com/config/...k&passwd=spike HTTP/1.0" 200 2654 "-" "-"

zaphodiv · 04-23-2004, 03:25 PM

Erm, DNS server just respond to querys for domain names, not complete URLs. If your machine is actually serving those requests then it's an open proxy.

mossy · 04-23-2004, 03:35 PM

Any Idea how I can tell if these are just scans or if my box is REALLY serving those pages.

How can I shut that off if it is - I thought the default Apache install prevented this.

zaphodiv · 04-23-2004, 11:52 PM

Personally I'd use a sniffer such as ethereal to seee whats happening. I don't know how apache could end up as an open proxy.

dominant · 04-24-2004, 06:10 AM

What about SEARCH header?

213.140.22.73 - - [24/Apr/2004:01:11:47 +0300] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb

zaphodiv · 04-24-2004, 10:16 AM

I'v read elsewhere that it's an attempt to exploit the IIS webDAV hole.

dominant · 04-24-2004, 01:53 PM

In my case, i run Apache webDAV

Can be also exploited?

unSpawn · 04-24-2004, 02:41 PM

No WebDAV is just the enabler, the vehicle for exploiting ntdll stuff.

mossy · 04-25-2004, 01:49 AM

snort shows the following:

[**] WEB-CGI search.cgi access [**]
04/25-01:18:06.757263 61.214.146.46:1531 -> 192.168.0.75:80
TCP TTL:107 TOS:0x0 ID:9905 IpLen:20 DgmLen:381 DF
***AP*** Seq: 0x14A99C72 Ack: 0xFCAC3451 Win: 0x40E8 TcpLen: 20
47 45 54 20 68 74 74 70 3A 2F 2F 77 77 77 32 2E GET http://www2.
73 75 72 70 61 72 61 2E 63 6F 6D 2F 63 67 69 2F surpara.com/cgi/
73 65 61 72 63 68 2E 63 67 69 3F 50 3D 34 26 74 search.cgi?P=4&t
79 70 65 3D 61 6E 64 26 67 72 3D 6F 6E 26 73 68 ype=and&gr=on&sh
6F 77 3D 31 30 26 73 65 61 72 63 68 3D 26 4A 3D ow=10&search=&J=
4B 59 4F 20 48 54 54 50 2F 31 2E 30 0D 0A 41 63 KYO HTTP/1.0..Ac
63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C cept: image/gif,
20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 image/x-xbitmap
2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D , image/jpeg, im
61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 age/pjpeg, appli
63 61 74 69 6F 6E 2F 78 2D 73 68 6F 63 6B 77 61 cation/x-shockwa
76 65 2D 66 6C 61 73 68 2C 20 2A 2F 2A 0D 0A 41 ve-flash, */*..A
63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 ccept-Language:
6A 61 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 ja..User-Agent:
4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D Mozilla/4.0 (com
70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E patible; MSIE 6.
30 3B 20 57 69 6E 64 6F 77 73 20 39 38 3B 20 57 0; Windows 98; W
69 6E 20 39 78 20 34 2E 39 30 29 0D 0A 48 6F 73 in 9x 4.90)..Hos
74 3A 20 77 77 77 32 2E 73 75 72 70 61 72 61 2E t: www2.surpara.
63 6F 6D 0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E 65 com..Proxy-Conne
63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 ction: Keep-Aliv
65 0D 0A 0D 0A e....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

"..Proxy-Connection: Keep-Alive" - does not sound good huh.

Anyone know for sure what this snort log means?

mossy · 04-25-2004, 01:50 AM

another one:

[**] WEB-CGI scriptalias access [**]
04/25-01:26:15.394494 218.2.202.210:3385 -> 192.168.0.75:80
TCP TTL:105 TOS:0x0 ID:40384 IpLen:20 DgmLen:252 DF
***AP*** Seq: 0x460CAE40 Ack: 0x1ABC8746 Win: 0xFD20 TcpLen: 20
47 45 54 20 68 74 74 70 3A 2F 2F 2F 20 48 54 54 GET http:/// HTT
50 2F 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 2A P/1.0..Accept: *
2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 /*..Referer: htt
70 3A 2F 2F 77 77 77 2E 77 65 62 6D 61 73 74 65 p://www.webmaste
72 6C 6F 6F 6B 63 61 73 68 2E 63 6F 6D 2F 69 6E rlookcash.com/in
64 65 78 2E 68 74 6D 6C 0D 0A 41 63 63 65 70 74 dex.html..Accept
2D 4C 61 6E 67 75 61 67 65 3A 20 7A 68 2D 63 6E -Language: zh-cn
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo
7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 zilla/4.0 (compa
74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B tible; MSIE 6.0;
20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 29 Windows NT 5.1)
0D 0A 48 6F 73 74 3A 20 0D 0A 43 6F 6E 6E 65 63 ..Host: ..Connec
74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 tion: Keep-Alive
0D 0A 0D 0A ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

di11rod · 05-18-2004, 01:24 AM

The response codes of '200' in your apache logs demonstrate that the page request was handled properly. Since the page request is a URL pointing to a box seperate than yours, then it means your web server is configured as an open proxy. Your computer is being used as a conduit for nefarious deeds.

Fix by adding this to httpd.conf and restarting apache---

<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy>

good luck,

di11rod