Attack on apache Webserver Invalid URI in request GET /./././.../etc/passwd HTTP/1.1
 

Hi all,

Recently i found suspicious entries on Apache error logs.

Tue Mar 15 19:21:18 2011] [error] [client 10.242.75.219] Invalid URI in request GET /././.. HTTP/1.1
[Tue Mar 15 19:20:10 2011] [error] [client 10.242.75.219] Invalid URI in request GET /././././././../../../../../etc/passwd HTTP/1.1
[Tue Mar 15 19:20:10 2011] [error] [client 10.242.75.219] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Tue Mar 15 19:20:10 2011] [error] [client 10.242.75.219] Invalid URI in request GET /../../../../../../../../../etc/passwd HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /././././././../../../../../winnt/win.ini HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /././././././../../../../../windows/win.ini HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/winnt/win.ini HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini HTTP/1.1
[Tue Mar 15 19:20:08 2011] [error] [client 10.242.75.219] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1

The request came again and from google i understood that it was a type of Web-server attack but i can't find more details on the web.Does any body have idea?Since the request found on Apache error logs, i assume that the attack is not successful one.How can i find out that attack is successful or not.?

Any suggestions?

Advanced Thanks
Ajayan

Looks like a Directory Traversal attack and they are trying to grab files off of your computer. See the one trying to grab /etc/passwd? They want that to try and figure out passwords on your machine.

Pretty good assumption. You should look in the normal Apache log ad see if there is anything odd in there as well as it has the connection codes (200, 404, etc.).

Now that said, this sort of garbage is pretty standard if you have a machine connected to the internet. The bad guys are always looking for new victims. And by always, I mean 24/7/365.

As for suggestion, yeah here is a few:

- Are you running anything like mod_security? That tends to intercept this sort of stuff.
- Is your OS fully patched? And what distro are we talking about anyway?
- Do you have any sort of file monitoring in place? Like Aide or Samhain?
- Do you monitor the other logs on your system?
- Are you running a security protocol like SELinux?
- Have you verified that Apache is being run as an unprivileged user?
- Is Apache serving any sites that might be vulnerable to pre-canned attacks? I'm thinking of PHP based websites and things using a back-end database.

Thanks for your comments and now got clear picture..:)
From the logs its showing 404 status..So i think that its failed requests...

1.Are you running anything like mod_security? That tends to intercept this sort of stuff.
mod_security is not enabled
2.- Is your OS fully patched? And what distro are we talking about anyway?
Ubuntu Lucid 10.4
3.Do you have any sort of file monitoring in place? Like Aide or Samhain?
Yes..Ossec..I got alert from Ossec
4.- Are you running a security protocol like SELinux?
No
5.Have you verified that Apache is being run as an unprivileged user?
Yes..Running as www-data user
6.Is Apache serving any sites that might be vulnerable to pre-canned attacks? I'm thinking of PHP based websites and things using a back-end database.
No.Also PHP is not enabled.

Just to add to the above, the IP 10.242.75.219 is a private IP (from within your LAN), so you should find the box attacking you.
Could be affected by a trojan or something

Regards