access_log full of junk, could it be code red worm?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
access_log full of junk, could it be code red worm?
Hi,
For weeks now I've seen my Red Hat 7.0 server filling up with gibberish. I setup another system, Red Hat 7.1 this time with full security. I even added firewall settings to only allow ftp and http traffic. But now I'm getting the same garbage in my access_log file of apache. Here's what it looks like:
As you can see in the above example it's not just from one IP address. The 400s means it's a bad request. But! Could this be the Code Red Worm trying to infect? Or a hacker that's compromised the net in another way?
Thanks for all the help u can provide. Also if anyone else is seeing this please leave a note. I kinda feel I'm not an isolated situation.
Yep, it's just the CodeRed requests. If you're running IIS over NT/2K then I hope you are patched. If you're running Apache then no harm done other than chewing up some some bandwidth. If you're running apache have a look at this week's security notes. I just upped to 1.3.20 from 1.3.17 (OK it was LONG overdue).
Wow. Here's an update. There's a NEW variant that appears to be more selective about the subnet it's scanning. I'm getting around 20+ requests per hour at the time of this writing and the flow has been increasing al day. The 'new' worm's calling card is just a little different;
Note the use of "XXX" rather than "NNN" (didn't see it until well into my 2nd cup of coffee). http://www.incidents.org/diary/diary.php has a recent (21:15 EST Aug 04) report which also claims that the new version may leave a gaping HOLE in your NT boxen.
Quote:
Both Henk Wevers and corecode submitted packet traces of the complete
request as shown below. Comparing this trace with the original Code Red
(see the Code Red Infection Illustrated section of the July 23
Handler's Diary at: http://www.incidents.org/diary/july2001.php)
it is immediately obvious that we are dealing with a new worm.
Note that line 820 shows that the worm is doing something with
CMD.EXE; also the dump contains the string 'CodeRedII' on line 230.
Note the references to root.exe on lines 840 and 880.
Lift a pint on this long weekend for the poor slobs who are rushing back to the IIS ranch for damage control.
Originally posted by gcombe74 And are the last numbers after the http 1.0 the port number?
The first nunber is the code that indicates the status of the request - 404 being and error that the server was unable to find the file. The second number is the size of the transfer to the client.
Originally posted by gcombe74 What is the significance in changing from N to X ?
The "NNNN" sequence was the original CodeRed worm. The "XXXX" is the CodeRedII. The N's and the X's are just used as fodder for the buffer overflow. The buffer examines these and says "Hey I can't run that crap!" However it completely ignores anyhting over 255(?) bytes and that's the 'payload' that makes the connection and gets the remainder of the code home.
Also note that while the worms have been dubbed CodeRed and CodeRedII, the only real similiarities are that they both use the same exploit to 'get in' and they both actively scan networks for a new host to infect. CodeRedII uses a meaner network scanner and leaves a backdoor to the entire system, regardless of permissions and allows shell commands to be executed from a remote station. Nasty.
thanks Jamie and mcleodnine for answering my question, very thoughtout and well implemented "Code". What a mess if every programmer on the planet wanted to wreck havoc on the net!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
