LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 02-05-2003, 07:24 PM   #1
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
Annoying windoze problems in my Apache server logs


Hello! I've got this really annoying problem in my apache server logs, in both "/var/log/apache/access_log and in /var/log/apache/error_log

I don't know if this is much of a security problem (although if I were running another OS it might be ) but I am more wondering how to have these not even show up in my logs, or filter them into another log such as /dev/null or something. I've taken some exerpts from both log files so you can get a feel for what I am talking about:

From /var/log/apache/access_log:
Code:
4.65.236.42 - - [05/Feb/2003:16:54:20 -0800] "GET /scripts/..%c1%1c../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:24 -0800] "GET /scripts/..%c0%2f../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:27 -0800] "GET /scripts/..%c0%af../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:32 -0800] "GET /scripts/..%c1%9c../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:34 -0800] "GET /scripts/..%%35%63../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 400 289
4.65.236.42 - - [05/Feb/2003:16:54:36 -0800] "GET /scripts/..%%35c../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 400 289
And more from /var/log/apache/access_log:

Code:
.65.194.47 - - [05/Feb/2003:16:24:44 -0800] "GET /scripts/..%25%35%63../winnt/s
ystem32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.194.47 - - [05/Feb/2003:16:24:45 -0800] "GET /scripts/..%252f../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.236.42 - - [05/Feb/2003:16:53:53 -0800] "GET /scripts/root.exe?/c+dir HTTP/
1.0" 404 284
4.65.236.42 - - [05/Feb/2003:16:53:56 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.
0" 404 282
4.65.236.42 - - [05/Feb/2003:16:54:00 -0800] "GET /c/winnt/system32/cmd.exe?/c+d
ir HTTP/1.0" 404 292
4.65.236.42 - - [05/Feb/2003:16:54:03 -0800] "GET /d/winnt/system32/cmd.exe?/c+d
ir HTTP/1.0" 404 292
4.65.236.42 - - [05/Feb/2003:16:54:07 -0800] "GET /scripts/..%255c../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.236.42 - - [05/Feb/2003:16:54:10 -0800] "GET /_vti_bin/..%255c../..%255c../
..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
4.65.236.42 - - [05/Feb/2003:16:54:13 -0800] "GET /_mem_bin/..%255c../..%255c../
..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
4.65.236.42 - - [05/Feb/2003:16:54:17 -0800] "GET /msadc/..%255c../..%255c../..%
255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40
4 339
From /var/log/apache/error_log:

Code:
[Sun Jan 19 06:57:38 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/c/winnt/system32/cmd.exe
[Sun Jan 19 06:57:39 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/d/winnt/system32/cmd.exe
[Sun Jan 19 06:57:40 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Sun Jan 19 06:57:40 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun Jan 19 06:57:41 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
I am guessing it's some sort of virus for winbloze.

Anyway, anyone got any ideas on how to rid my logs of the flaws of others

Cool
 
Old 02-05-2003, 08:08 PM   #2
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Yup. Nimda or CodeRed virus. I asked this question before and nobody had an answer on how to get these out of the log file. I wanted to get rid of those log entries for so long but now I kind of like them because they remind me why I don't use M$.

By the way: I wonder how many Linux server were effected by the "SQL Slammer" worm. Oh yeah thats right. none
 
Old 02-05-2003, 09:25 PM   #3
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Original Poster
Rep: Reputation: 64
Thanks How about a reverse IP lookup then? So I can send an email or something to this IP to let them know how annoying it is, or rather that this is happening.



Cool
 
Old 02-06-2003, 06:03 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602
In your logrotate script add something like:
prerotate
grep /var/log/apache/access_log -ve "cmd.exe" > /var/tmp/apache/access_log
mv -f /var/tmp/apache/access_log /var/log/apache/access_log
endscript

IMO email notification is an applaudable thing but in these cases usually won't do more than easy your mind you've done "everything". Find their upstream ISP's (Verizon) abuse address and mail them.
 
Old 02-06-2003, 07:12 AM   #5
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Re: Annoying windoze problems in my Apache server logs

Quote:
Originally posted by MasterC
Anyway, anyone got any ideas on how to rid my logs of the flaws of others
Apache's conditional logging could be used stop you logging any mention of cmd.exe. For example (in httpd.conf)...
Code:
SetEnvIf Request_URI "/cmd.exe/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
HTH - that RegExp is probably better as /cmd\.exe/ as I think the original would match cmd then any character followed by exe.

Jamie...
 
Old 02-12-2003, 05:15 PM   #6
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Original Poster
Rep: Reputation: 64
Re: Re: Annoying windoze problems in my Apache server logs

Quote:
Originally posted by jharris
Apache's conditional logging could be used stop you logging any mention of cmd.exe. For example (in httpd.conf)...
Code:
SetEnvIf Request_URI "/cmd.exe/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
HTH - that RegExp is probably better as /cmd\.exe/ as I think the original would match cmd then any character followed by exe.

Jamie...
Ok, I tried this one first (Just randomly picked it) however, it doesn't seem to work. I've tried both of these entries for at least a day per entry:
Code:
#Test to stop windoze bothersome virus logs (thread is located at:http://www.lin
uxquestions.org/questions/showthread.php?s=&threadid=44248
SetEnvIf Request_URI "/cmd\.exe/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
Code:
#Test to stop windoze bothersome virus logs (thread is located at:http://www.lin
uxquestions.org/questions/showthread.php?s=&threadid=44248
SetEnvIf Request_URI "/cmd.exe/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
And I've also used variations like (currently):
Code:
#Test to stop windoze bothersome virus logs (thread is located at:http://www.lin
uxquestions.org/questions/showthread.php?s=&threadid=44248
SetEnvIf Request_URI "/cmd\.exe?/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
But still no dice. So now for the next week, I'll try to figure out how to implement your suggest UnSpawn since I don't know where my logrotate script is (or maybe I've got to set one up). I'll post back with the results. Thanks for the replies so far.

Cool
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Out Of Memory problems. My server is down. Memory logs attached. guarriman Linux - General 7 06-10-2008 07:46 AM
How to get rid of annoying MS worm log entries in Apache 320mb Linux - Security 1 10-17-2004 11:49 PM
problems setting up apache and vsftp server behind a router that serves as a server xone Linux - Security 1 04-08-2004 10:46 AM
Apache logs - ???Linux logs??? mylo2003 Linux - General 3 08-07-2003 04:49 PM
Annoying Apache password problems... oaaltone Linux - General 0 03-07-2003 08:26 AM


All times are GMT -5. The time now is 05:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration