LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-09-2003, 02:30 PM   #1
ScreeminChikin
Member
 
Registered: Aug 2002
Location: Kansas City
Distribution: Mandrake 9.2 and a couple of RH7.3 Apache servers
Posts: 153

Rep: Reputation: 30
weird Apache log entry


I found this in my apache acess log:

216.174.251.43 - - [09/Jan/2003:14:02:11 -0600] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 320 "-" "-"

I'm used to seeing all the IIS red worm entries but this is one I havne seen before. Should I be worried? My error log shows that ip sent malformed host header.
 
Old 01-09-2003, 05:17 PM   #2
epeus
Member
 
Registered: Oct 2002
Posts: 41

Rep: Reputation: 15
hi, i get very similiar entries to the one u have mentioned! i have given up checking the IP and trying to sus out what each and every one is!!!

but if anyone else knows what the entry is, i would also like to know exactly what it means!

Ed.
 
Old 01-09-2003, 05:40 PM   #3
antken
Member
 
Registered: Nov 2000
Location: england
Distribution: latest Mandrake
Posts: 368

Rep: Reputation: 30
i get these on one of my servers all the time

basically its one of those 'bugs' that are so rare in windows

basically its overloading a buffer of some sort, then in your case you have got %xxx %xxx %xxx after the NNNNN's that is using some sort of encoding each number will represent a letter or number if you can decode it it would be the same ( i think ) as the plane text version

its nothing to worry about on a linux box


my server that used to be iis had this attack got hacked and was running some sort of IRC server in the back ground because of it and the default page ( index.html ) was replaced by something like i got hacked by some cult in some far distant place and that why i run linux

or you could tick them off a little by creating default.ida in the root of your server and put a nice 'polite' message in there
 
Old 01-09-2003, 05:45 PM   #4
ScreeminChikin
Member
 
Registered: Aug 2002
Location: Kansas City
Distribution: Mandrake 9.2 and a couple of RH7.3 Apache servers
Posts: 153

Original Poster
Rep: Reputation: 30
now I'm intrigued. What exactly is a default.ida?
 
Old 01-09-2003, 06:03 PM   #5
antken
Member
 
Registered: Nov 2000
Location: england
Distribution: latest Mandrake
Posts: 368

Rep: Reputation: 30
to be perfectly honest, i have no idea

its probably one of microsoft default files
as far as i can tell when you install IIS you are suppost to disable the default www site then create a new site, basicaly this default.ida and all the bugs reside on this default website config


this is not an advert, but because i have seen how crap iis is and if some one asked me to run an asp server i would get them to buy an out of the box rack server similar to that of sun cobalt raq3/4 or a matrix rack server

it come with the front page extention modules and extra modules to run the asp script

or i would highy recomend converting to PHP ( cos its just so good i.e. creating images on the fly pdf files on the fly need i go on ? )
 
Old 01-09-2003, 06:53 PM   #6
turnip
Member
 
Registered: Jul 2002
Posts: 143

Rep: Reputation: 15
That is an IIS exploit, I believe its Nimda.

Last edited by turnip; 01-09-2003 at 09:19 PM.
 
Old 01-10-2003, 05:36 AM   #7
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
I get these kinds of log entries daily on my linux server

"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 384 "-" "-"

This may be a silly question but if this is a known exploit then would it be possible to actually have a root.exe file that would patch the infected server or try to inform the server that it is infected? Or what about a root.exe file that adds the infected server to the hosts.deny file so that you don't have to look through all these dam log entries with Windows exploits.
 
Old 01-10-2003, 08:14 AM   #8
ScreeminChikin
Member
 
Registered: Aug 2002
Location: Kansas City
Distribution: Mandrake 9.2 and a couple of RH7.3 Apache servers
Posts: 153

Original Poster
Rep: Reputation: 30
the root.exe thing is strictly an IIS thing. Theres also one that looks for cmd.exe, same deal. I get hundreds of those a day. I imagine that you if you were running an IIS server and you put the patch in there and named cmd.exe or whatever, I would think that if the server were to get infected that the first thing it would do is overwrite that file. Ya Think?
 
Old 01-10-2003, 09:09 AM   #9
antken
Member
 
Registered: Nov 2000
Location: england
Distribution: latest Mandrake
Posts: 368

Rep: Reputation: 30
my ex iis server was infected from these attacks and cmd was not replaced

cmd.exe from what i can remember is like sh/bash on linux its the command interpreter root.exe i dont know what the heck that is just a back door i suspect
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
suspicious entry in /var/log/auth.log buehler Linux - Security 5 04-27-2005 05:11 PM
weird stuff in /var/log/auth.log bschiett Linux - Security 3 03-12-2005 08:29 AM
Weird in Apache log: recipientid sessionid ?? nerdstat Linux - Networking 0 10-01-2004 02:59 AM
Wierd Apache Log Entry cmfarley19 Linux - Software 3 04-23-2004 05:22 AM
Apache log entry- what is this? ScreeminChikin Linux - Software 2 09-18-2003 02:28 AM


All times are GMT -5. The time now is 02:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration