LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-24-2004, 09:31 AM   #1
naflan
Member
 
Registered: May 2003
Location: NC, USA
Distribution: Slackware 14.0
Posts: 94

Rep: Reputation: 15
tell me what this means in apache log


I'm getting a lot of this in my apache access log.

68.9.229.106 - - [21/Mar/2004:11:47:53 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02


and this is part of the entry. the xb1\x02 pattern repeats.
 
Old 03-24-2004, 12:23 PM   #2
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
I also receive some strange logs in my access_log

GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205


Any ideas?
 
Old 03-24-2004, 12:32 PM   #3
Evilone
Member
 
Registered: Oct 2002
Location: UK
Distribution: Slack 9.1 (2.6.5)
Posts: 307

Rep: Reputation: 30
Maybee a denial of service attack
 
Old 03-24-2004, 07:49 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
First one I believe is a WebDav exploit that is one of the secondary routines of the Welchia worm. For the Worm itself see:
http://securityresponse.symantec.com...chia.worm.html
For the exploit:
http://www.securityfocus.com/bid/7116/discussion/
http://www.fatelabs.com/library/fate...l-analysis.pdf

The second is the CodeRed II worm. Both are exploits for windows IIS vulnerabilities and except for the annoying log entries should be harmless. If you see a host that is making a significant number of requests and consuming resources, you can block them by ip address with IP tables:

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
 
Old 03-25-2004, 03:37 AM   #5
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
Well, where should i know that the attacker has a static ip?
 
Old 03-25-2004, 10:03 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I think if you are seeing repeated scans over days/weeks from the same IP, then it's safe to assume it's static. If the IP is changing, you can try doing some form of "fingerprinting", but IMO that is much easier said than done and is a major waste of time for Code Red scans. Plus the Code Red II scanning engine will more than likely shut off at the end of the month, at least temporarily that is
 
Old 03-29-2004, 12:21 PM   #7
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Rep: Reputation: 48
i'm getting tons of those lately, too, they're annoying as h3ll. i'd really like to block them, but they keep coming from different IPs after the first 24 (ie. 24.xxx.xxx.xxx). is there any way at all to block that without shutting out half the internet?
 
Old 03-29-2004, 04:59 PM   #8
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
Track down that offender as close as possible and then drop a mail to their abuse mail telling them they have a virus contaminated computer.

As for the CodeRed II worm it uses a TCP packet that is to long. All the x:s are the allowed length of a TCP packet. The following characters are the actual virus code. The standard say to drop packets that are to long, which linux does. But Windows didn't do this. The result: Servercode was overwritten and opened up your machine.

As far as I understand these attacks should not affect a linux, unless the amout of attempts are extreme.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Log In As Shell? Don't know what that means jimhanus Linux - Newbie 2 08-04-2005 06:25 PM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 01:21 PM
Apache Log rajbaxi Linux - Security 12 03-21-2004 11:28 PM
Error in my log file. Don't know what it means subzero80 Linux - Software 2 03-10-2003 07:24 AM
Apache Log Crashed_Again Linux - Security 5 02-01-2003 08:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration